Because IT security breaches have become so prevalent, the common model for addressing them is often more reactive than proactive. Have you given up and given in to the idea that breaches are inevitable? Money, time and effort is put into establishing incident response teams, but often preventative efforts don’t go much further than applying the patches released by major software vendors – and sometimes even that falls by the wayside.
It’s true that some breaches are unavoidable, but when they occur, time is of the essence. You need to know about it as soon as possible so you can take steps to ameliorate the damage. Auditing can mean the difference in whether you get that information in time. And in some cases, the breach didn’t have to happen at all. Auditing is also your best defensive tactic for preventing security breaches. In fact, many of the specific breaches reported over the last few months could have been prevented or remediated by a good auditing program. Let’s take a look at some examples.
- The personal data of an unknown number of U.S. Securities and Exchange Commission (SEC) employees was downloaded to a thumb drive and then uploaded to another government agency, not once but twice. Auditing of file access permissions could have ensured that only those persons who really need the data could access it.
- In the case of a California medical supply company, the breach was deliberate, when employees disclosed customers’ medical information to competitors. The suspicious activity was discovered, but not until long after the data was stolen. Better auditing could have prevented the breach or alerted admins more quickly in the same way as the inadvertent breach discussed above.
- Personal and medical information of thousands of patients at a California medical center were accessed by an employee. Under California law, the hospital was required to notify all potentially affected patients. File server auditing can keep administrators on top of what information is being accessed by whom and alert administrators to situations like this.
Many breaches involve access by persons who should not have access. This can happen due to the wrong configuration settings or the wrong permissions being assigned to an account. Even when everything is set up perfectly, changes can be inadvertently or deliberately made that put your organization’s security at risk.
Change auditing can detect potentially dangerous situations before an actual breach occurs. Netwrix Auditor is one of the most comprehensive solutions for tracking and managing changes and ensuring that there are no unintended consequences when necessary changes to settings or permissions are made.
Sometimes the unauthorized access is more difficult to prevent because it’s done using an account that has a legitimate need for permissions to the particular files.
- In a different California hospital, medical staff employees used the credentials of three doctors to access the records of celebrity Kim Kardashian and other patients. Careful auditing of file and database access could reveal patterns that were out of the ordinary for the doctors’ accounts and alert administrators in real time that those records were being accessed.
A popular way to gain unauthorized access is through a brute force attack, which can involve trying multiple password/user combinations until one works.
- Japanese gaming companies Konami and Nintendo have both been the victims of recent brute force attacks that compromised customer information associated with thousands of user accounts.
Auditing of logons, particularly failed logon attempts, can indicate that a brute force attack is in progress and real-time notification can make it possible for administrators to respond before the network is breached.
- You might recall reports in 2012 of a data breach that occurred at the Utah Department of Technology Services, whereby the social security number of more than 25,000 people were compromised. That breach resulted from a configuration error that allowed hackers to access the servers.
Configuration auditing is a must to prevent this type of attack. By auditing the configurations of Active Directory and other databases where configurations are stored, as well as Group Policy settings, file server configuration and file access, SQL Server and all Windows servers, you maintain complete control over what’s happening on your network on an ongoing basis.
It’s not only misconfiguration of the operating system that can put you at risk – improperly configured third party applications can pose an even bigger threat because their vendors may be less proactive about warning users of problems discovered with default configurations, and changes that are made to the settings may be overlooked. I like that Netwrix Auditor can audit virtually any application, via session auditing and tracking of configurations stored in databases.
Auditing may seem like a dull topic, but helping to thwart cybercriminals by preventing and more readily detecting security breaches can save your company money and its reputation, and that’s pretty exciting.
An ounce of auditing prevention is worth a pound of cure!
