Wendy Yale, Varonis: The Top 10 Things IT Should Be Doing (but isn’t)
1: Data Entitlement (Access Control List) ACL Reviews
2: Revocations of Unused and Unwarranted Permissions
3: Removal of Global Group ACLs like “Everyone”
4: Deletion or Archiving of Stale or Unused Data
5: Deletion of Unused User Accounts
6: Identification of Data Business Owners
7: Preservation of All User Access Events in Searchable Archive
8: Continuous Auditing of Key User Accounts
9: Continuous Auditing of Key Data Folders
10: Continuous Auditing of Security Settings to Data
Every file and folder on a Windows or Unix file system has access controls assigned to it which determine which users can access the data and how (i.e. read, write, execute, list). These controls need to be reviewed on a regular basis and the settings documented so that they can be verified as accurate by data business owners and security policy auditors.
Users with access to data that is not directly relevant to their jobs constitute a security risk for organisations. Most users only need access to a small fraction of the data that resides on file servers. It is important to review and then remove or revoke permissions that are unused.
It is not uncommon for folders on file shares to have access control permissions allowing “everyone” or all “domain users” (nearly everyone) to access the data they contain. This creates a security risk because any data placed in that folder will inherit the permissions. Global groups may be an easy default setting but they constitute a security risk because those who place data in these wide-open folders may not be aware of the lax access settings. Global access to folders should be removed and replaced with rules that give access to the explicit groups that need it.
Not all of the data contained on shared file servers and network attached storage devices is in active use. By archiving stale or unused data to offline storage or deleting it, IT makes the job of managing the remainder simpler and easier, while freeing up an expensive resource.
Directories may at times contain user accounts for individuals that are no longer with the company or group. These accounts constitute a security hole. Those with a working knowledge and access to user directories may retrieve information under someone else’s name. Organisations should routinely identify inactive users and verify that the need for the account is still there.
IT should keep a current list of data business owners and the file share folders for which each has responsibility. By having this list “at the ready,” IT can expedite a number of the previously identified tasks, including verifying permissions revocations, user account deletions and data to be archived. The net effect is a marked increase in the accuracy of data entitlement permissions and, therefore, data protection.
Even for environments where the user-to-data permissions are current and accurate, it is important to maintain a searchable archive of all user access events. This will help organisations with forensic analysis should data misuse or loss occur. IT should be able to search on a username, filename as well as date of interest and any combination thereof to ascertain who accessed what and how. This information can also help expedite helpdesk call resolution.
Whether it is administrators or user groups with access to sensitive and valuable information, it is important to monitor access event activity to ensure that it is consistent with appropriate business access. An infected laptop, for instance, may register an inordinate number of file “deletes” for a given user. IT should have alerting mechanisms in place that identify anomalous access activity on file shares and send notification of the activity to the appropriate personnel.
Folders that are known to contain sensitive or valuable information should be monitored for all access activity. Business owners should receive a daily or weekly report of user access to key folders they own, so that any activity deemed inconsistent with known business needs can be quickly identified and the risk mitigated.
IT should have the ability to capture and report on access control changes to data — especially for highly sensitive folders. If access is incorrectly assigned or changed to a more permissive state without good business reason, the data business owner will be able to quickly identify and mitigate the situation by reporting the inconsistency to IT.
These are ten things you can do within a short timescale which will not only secure the data in your organisation but secure your place in the organisation if someone gets a hold of information they shouldn’t have access to.
Комментарии