Earlier tonight I read an article on Engadget about how an employee at Verizon had accessed customer data and sold it to a private investigator. It was information he was not authorized to access. This is not an uncommon thing. What is fairly shocking is that he had started in 2009 and was not caught until 2014. This brings into question the auditing practices of Verizon on the data, and also how they set up access control. Performing audits and looking for unauthorized access is not sexy or fun work. And it is labor intensive and costly. There are tools that can help with some of that. An example would be NetIQ Sentinel. Programs like Sentinel can be set up to monitor logs looking for abnormal behavior or data. Then it will alert the appropriate people to take a closer look. But to set this up you need to first get a base line of normal activity. You also need to try to determine what a breach might look like in any of a number of ways and put in the metrics for the application to look for that.
Along with using a program to monitor activity, it is important for humans to look through logs too. The human brain is very good at looking at patterns and also to notice abnormalities. It is like solving a puzzle. I remember years ago reading a book by Cliff Stoll called "Cracking the cuckoo's egg". It was a fascinating read and my first real exposure to computer security. The gist of the story is that Cliff was an astronomer who's grant funding had run out. So he took a job in the computer data center. This was back in 1986 during the days when mainframes ruled and had a whole slew of minions to keep things running. Students and college departments were charged for computer time. Cliff found a very small discrepancy in the accounting, something less than a dollar if I remember right. Cliff Stoll is somewhat eccentric along with being extremely smart. For a short period of time I actually had the pleasure of chatting with him on line and he is amazing and funny. At any rate, he knew something was wrong and would not drop it even when others said it was not worth it. I don't want to give away too much in case you want to read what is actually a fun book. But I will say that because he would not let the anomaly go he was able to ultimately track down a pretty serious security breach. Get the book... it is well worth it.
In my work with ldap one of the things I would often do is run reports on the system looking for accounts where no one had logged in for more than three months. It was not something that was mandated for me to do. But I knew from Cliff's book that this was an important thing to look at. I would then work with others to determine why we had stale accounts and deal with them. I would be willing to bet that in at least 50% of companies I could find accounts that were unused for over a year. It might even be higher. This is just one example of auditing that should happen regularly. Another would be to get a base line of how many ldap searches are performed through the day every day of the week. The thing is that all systems will have a normal pattern of those searches. It will go up and down through the day, but there will be a predicable level from day to day and week to week. Once you set base line you can then set up to monitor for abnormal changes in those levels. If the search pattern changes more than say 10 to 20% of normal levels then you should be alerting the security team to look at it right then.
The same thing is true of web site authorizations. Say you run Siteminder to protect the system. Every authorization request is monitored. You will have X number of proper authorizations an hour. You will also have Y number of failed authorizations because people typed a password wrong or forgot their password per hour. Once you sample those numbers for a base line then again you can set up a system to monitor the levels and alert when there is an abnormal change in the levels. You might need to set up a script that will query the log files to make counts and then stuff the counts in a database for trending. So there will be a fair amount of up front work. But once it is done you will be able to find issues. With something like the Siteminder logs you could even parse out the logs into a database that you could then search if you think you have a user doing things they are not supposed to and be able to find where they logged into.
Ready access to trend information
After you get things set up then you should test it periodically. There are a number of tools you could find that would help you stress the system to generate alerts. I live in Michigan and in the summer the first Friday of every month at noon they blow the tornado sirens so they know the system is working. You should do the same with the alerting system. Set up so that there is a sudden dump of a large number of ldap searches and make sure the charts trend it and the alerts go out properly. You want to do it periodically because you never know when a system change might break a script or something and suddenly the protection system is not working right.
Tighten down special access
All systems will have certain accounts that have special access. Systems administrators are a perfect example. However there are others too, like help desk personnel. They will have certain systems they need to do things that require higher access levels. Recently I went through a training on a program called CyberArk. The goal of the CyberArk system was to tighten up control on those special access accounts. First, it had controls over the passwords on system accounts. It could do single use passwords, or force periodic password changes. It helps get rid of the abysmal practice of using a password protected (a total joke) Excel spreadsheet with passwords in it. The program also could be set up so that a person had to go through a CyberArk proxy to get access to a system and then CyberArk would record absolutely everything the person did while on the system and was able to play back the session. This does not prevent someone doing something wrong, but it gives the data to discipline or prosecute them. And when users know they are being monitored that closely they will be much much less apt to try to do something they are not supposed to do.
It is also important to limit high level or system access to your systems. There should only be a limited number of individuals with that access. They should each have their own account. You should never use a shared account for all administrators to use. And there should be regular audits that will list out all users with special privileges in the system. This needs to be part of any audit, like a SOXS audit. Ideally the audits should be performed by people that can view the rights but cannot grant rights. This would be what is called separation of duties. It is similar to separation of duties concepts in financial audits. Or at the very least there should be multiple people that verify the information, like when a business requires two different people to sign checks.
Audits and security might not be sexy. They might cost money and not be a profit center. However, if you don't pay attention all along to this then something will happen sooner or later and it will cost you even more after the fact.
I am truly a geeks geek. I have worked in computers for over three decades. I have worked on mainframes, Unix systems, Linux before almost anyone knew what it was, and many other systems. I love computers, and love making them do things people think is impossible.