How to Audit User Access

When checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:

• Application ID
• Application role or group
• Membership in an local server group, Active Directory (AD) group, or UNIX Group
• Access to the application’s share and/or folder on the server
• Database ID
• Database role, including access permissions (read/write)
• Other permission (from a home-grown application code or enterprise identify management system)

Continue reading →

Advertisement

Internal Attacker Detected: Conclusion

Minutes later, one of the security techs met me at Lynn’s cube with a box that we quickly filled with the contents of her desk: files, CDs, DVDs, notedpads, books, etc. The other help desk analysts in adjacent cubes looked at us with silent questions on their faces.

I noticed that one of them was a new employee that had attended my security presentation in employee orientation last week, so he knew who I was. That meant rumors would spread quickly. While I never enjoyed walkouts, they reminded the staff that security incidents have consequences.

This is a multi-part series. See Internal Attacker Detected: Part 1, Internal Attacker Detected: Part 2, and Internal Attacker Detected: Part 3.

Others on my team had already imaged the old computer and had started imaging the new one across the network as soon as my meeting with Lynn began (by design, she was not told of the meeting beforehand). Both images would be sent off to the Forensics team.

Continue reading →

Internal Attacker Detected: Part 3

Tim said, “Mack, like you suggested, I connected to her new PC over the network and searched her hard drive for the hacker tools–they’re back, plus a few new ones. And her antivirus is turned off again.”

This is a multi-part series. See Internal Attacker Detected: Part 1 and Internal Attacker Detected: Part 2.

After discussing my action plan with the CIO, Legal, and Human Resources, I met with the contractor’s manager, Sue, and explained the situation. Both the hacking tools and turning off a security service were serious violations of security policy. I had recommended the person be walked out and told her that the CIO, Legal, and HR agreed.

Continue reading →

Internal Attacker Detected: Part 2

Two days later, I walked up to the well organized desk of Tim, the malware tech that told me about the hacking tools that he’d found on a contractor’s PC.

“Tim, did you find any bear paw in the trap we set?”

This is a multi-part series. See Internal Attacker Detected: Part 1.

Tim turned around, and I could immediately tell he was not happy. His jaw was tight, his hair was clumped, and his blurry eyes told that he had not been to bed in the past 24 hours.

Continue reading →

Internal Attacker Detected: Part 1

A while back when I worked in IT security, an internal attacker popped up on our radar…

I answered the phone and heard a tech from the anti-malware team say, “I think we have a problem, Mack. Got some time to come down and see what I found?”

Continue reading →

Top 10 Bad Jobs

I was checking out the latest post of my new blogger colleague from London, Audit Monkey, and read the following….

I’m sitting here in reflective mood thinking what the ‘Top 10′ worst possible jobs could be. Here’s my list.

Continue reading →