IT Auditing Season and Radiology Day!
Saturday is International Radiology Day! Back in 1895 Wilhelm Conrad Röntgen discovered X-rays which now provide us a means of looking inside the human body. In the theme of this lesser known holiday, let’s take a look at how auditing allows system administrators to look inside the mind of the average end-user, not unlike how X-ray technology allows doctors to look into a patient’s body.
When was the last time you could say, with utter certainty, that your users were using the credentials assigned to them? Do you know what passwords Phil from HR has access to? When was the last time that someone used the emergency override password, and does that time correlate with any logged incidents?
Questions like these are either simple or impossible to answer. It all comes down to how you're auditing your user activities.
Let’s look at a couple use-cases that demonstrate how proper auditing can be used to mitigate risk.
Scenario One: A junior administrator’s credentials are being used around the office to circumvent the restrictions placed upon the average end-user accounts.
Without Auditing: No-one notices the usage for a few months. Eventually one of the users installs some freeware which, unbeknownst to them, contains a cleverly disguised remote administration tool (RAT). With the administrator account provided by the user, the RAT easily disables the safeguards in place to protect the network, and begins redirecting traffic from the company website to some websites of ill repute. Later that week a concerned customer calls the company and asks why their website is trying to sell them counterfeit crochet patterns. The breach is eventually discovered, and the company realizes that it has lost a number of potential sales due to their outage.
With Auditing: A senior technician looks at his account access logs and notices that one technician has been logging into more machines than usual. Upon further inspection he realizes that some of those events occurred on the junior admin’s days off. He remotely accesses one of the systems currently using those credentials and sees that Phil from HR is reading his personal email while installing a number of unapproved applications. The senior technician locks the junior administrator’s account and all the systems running under those credentials before contacting one of the managers and preparing to investigate the issue. Minimal damage occurs, and the issue is quickly rectified.
Scenario Two: A disgruntled ex-employee sitting at home is angered by a commercial about toaster pastries. The joy of the family enjoying crispy dessert for breakfast reminds him of the joy his ex-coworkers expressed as he was escorted out of the building by security. Knowing that his own account would be locked, the ex-employee instead remotely logs into the infrequently used administrator backup account…
Without Auditing: …which no-one knows he has access to. It is only after a number of unflattering emails are sent to employees and clients that the breach is discovered. The company suffers both internally and externally as its poor security practices bring misfortune upon their bottom line.
With Auditing: ...which the manager who fired him knew he had access to. The account was set up as a honeypot before the employee left, as they were concerned by a number of the comments made on departure. Once the attempt is logged, prevented, and reported to the local authorities, the manager celebrates the prevented crisis by inexplicably eating two delicious toaster pastries.
What can we take away from this?
Auditing provides a degree of insight unattainable through the amount of sleuthing most system administrators are able to do. By having a system that automates and provides easily reviewed audits, administrators and managers alike can catch on to trends and issues sooner than they otherwise would. In many cases this can improve productivity, but in some cases it can ever prevent breaches and detect attacks.
Any business can benefit from auditing. Stop being so reactionary and start proactively understanding what’s occurring on your network. AuthAnvil has built in audit and logging capabilities which make it easy to audit and review what people are doing, and when credentials are being handled.