barefoot cybersecurity

security… mobility… cloud… technology… whatever…

Leave a comment

How Secure is Your Active Directory?

An increasing number of enterprises, in line with leading information security advisory bodies around the world are starting to wake up to the fact that to develop and maintain a continuous view of their security posture, a new approach is needed. Regular monitoring. Not just of their devices, applications and data but of the one, most constantly evolving and unpredictable element of the network. Its’ users.

Today, Microsoft’s Active Directory (AD) is the most widely deployed and relied upon tool to provide user authentication and authorisation and therefore represents the keys to the kingdom to all of an enterprise’ network resources.

The Problem

AD is dynamic in nature. It changes constantly over time and many organisations have been reliant on AD to provide access to sensitive resources for many years. Without regular management of your AD environment, small errors introduced, sometimes a long time ago, can develop and manifest themselves as serious implications relating security, compliance and operations.

Individual AD user accounts may provide access (either directly or via a group membership) to a wide array of devices and information. Accounts often become “orphaned” either by employees leaving the business or were created for temporary staff, contractors or maybe were only ever created for test purposes. Operating procedures should stipulate how these accounts are retired but are frequently overlooked.

As individual accounts embody the basic entity around which security policy is structured, it is common for auditors and custodians of these resources to ask about existing accounts, why and when they were created. It is all too often, an impossible question to answer.

The same is true of user groups. Users obtain group memberships to fulfil a specific function in the environment. However, people’s functions within the enterprise evolve, perhaps moving to another departing meaning a user no longer need to access resources. Group membership should therefore be revoked but experience suggests otherwise. When you add in that group memberships can be inherited, the problem is exacerbated.

Furthermore consider what happens following major restructuring of the AD environment by moving an Organisational Unit (OU) under a new parent OU. This could result in the new parent OU gaining administrative rights on objects within the new child OU. Objects within AD probably have security policies via Group Policy Objects (GPOs) which are applied directly to these OU objects.

The Solution

Recommended best practice from leading industry experts is periodic security audits to ensure that AD is being properly managed and protected. There are some key areas around which such audits should focus.


When new accounts are created there are several attributes that are useful to know beside the account ID and the Distinguished Name (DN) (the path by which account may be located within the directory tree). One the most important pieces of information is the identity of the person who (or at least the administrative user which) created the new account. Should that user have authority to create new accounts? Was there a valid reason for its creation? These are typical resulting questions.

A clear picture of the time and date accounts were created as well as the server used are important pieces of forensic information in the verification of appropriate use.

The volume of new accounts over time should also be carefully monitored. In particular failed attempts to create new accounts could indicate a potential risk to the business.

Finally, accounts which have not been accessed for a specific length of time may be redundant or orphaned. These orphaned accounts represent a significant security risk and are frequently exploited by attackers to launch an attack. At the very least, an orphaned account represents valid login credentials of a former employee who still has potential access to networked resources.

Group Membership

An individual’s effective rights and permissions within an organisation are dependent on the groups to with they belong. Therefore we must gain a level of appreciation towards their group memberships and inheritance.

As part of an AD audit, groups with high levels of access, such as the Domain Admins group, should be reviewed for their memberships. Additionally, any further periodic changes made to group memberships should be verified via an audit.

Organisational Units

To ensure that the AD environment is being well managed and that security policies are being applied correctly, it is highly recommended the OU is audited regularly. This would include any changes made to an OU and report specifically on any GPOs applied or removed.

Leave a comment

The Basics for Hard Disk Encryption

So you realise you (or your staff) are walking about with all that confidential company data on a laptop drive. OK, so it’s password protected but that will not prevent an attacker from booting the system from a thumb drive or removing the hard disk to access it from another system. Without some kind of hard disk encryption that data is easily readable to anyone with access to the drive.

There are three basic solutions to protect the confidentiality of a hard disk’s contents. Here’s a brief overview of these options.

1. Software based file/folder/partition encryption

One simple approach is to specify a directory or partition on your disk to write any sensitive data. Using software based encryption any data written to this location will be encrypted “on the fly”. Permission to access this data (through authentication) is typically provided using a password (maybe your Windows login).

One benefit to this approach is that your operating system can remain on an unencrypted disk location which maintains performance and avoids complications associated with OS maintenance and patching. However, you are reliant on the user writing their data to this secure location. Often a disk can be partitioned and the user instructed to store all their classified information there but habits dictate that email attachments still end up on the desktop and vulnerable. Open-source tools like Truecrypt are frequently employed to freely provide this kind of functionality although without commercial support.

Safend provide a unique solution for Windows that automatically encrypts user generated content whilst avoiding system and program files which goes someway to solving this.

2. Software based full disk encryption

With full disk encryption, pretty much everything on the drive is encrypted meaning that the choice is no longer the users’ to make. However, the performance and maintenance issues mentioned above now come into consideration.  Also the boot loader remains unencrypted (note I said pretty much everything) to allow the key to be available for the password authentication process, and this remains vulnerable to attack.

To protect these keys further, one can use the Trusted Platform Module (TPM) which is standard on today’s PCs. The TPM is a secure hardware device (or chip) on the motherboard which will enforce the drive can only be read by that specific system. Generally speaking hardware based security offers more protection than software.

Microsoft now includes their BitLocker encryption on Enterprise and Ultimate editions of Windows 7 and in Pro and Enterprise editions of Windows 8 which can be used in conjunction with a TPM.

Other leading enterprise solutions are available from the likes of McAfee, Sophos and CheckPoint.

3. Hardware based full disk encryption

Hard disk security has evolved further, pushed security deeper into the hardware layer with the new generation of self-encrypting drives (SED).

With SEDs the encryption key is embedded in the drive controller itself. Authentication takes place as the drive is powered on with a BIOS password which can also become a single sign-on to the domain. Therefore from the moment the drive starts, all data is encrypted on the way in and decrypted on the way out. No performance issue and no software based authentication.

It is not possible to access the stored key without physical destruction of the drive and the data cannot be read without the encryption key.

Wave Systems and Seagate pioneered SEDs to support the OPAL standard developed by the Trusted Computing Group (TCG) and today Hitachi, Samsung, and Toshiba all produce OPAL compliant drives.

At the time of writing, SEDs can be purchased for as little as $20 more than the equivalent specification non-encrypting drive.

Leave a comment

Sensitive Data: Coping with that file server!

Almost every enterprise has some kind of legacy file server. You know, the one that stores all the information that has to be accessed by the various business groups. Great swaths of spreadsheets, presentations, photos, accounts, client info and (possibly!) some illegally shared media.

This unstructured data, grows rapidly and organically. Many larger enterprises have sensitive data, which may contain confidential and/or personal information, residing on file stores where there is an insufficient understanding of exactly what this data is and who is accessing it. The over-permissive nature of global directory groups such as the “everyone” group, means that there is little control about exactly where in the enterprise this sensitive data is written.

User entitlements to view certain groups and folders evolve over time. This entitlement is rarely reduced yet regular reviews of user entitlement by manual methods are time consuming and therefore generally ignored.

  • No intelligence with regards to where sensitive data resides, who owns it and who may access it.
  • No intelligence over data that no one is accessing. Typically 50% of data becomes ‘stale’ after 90 days.
  • Over permissive access. Statistics indicate more than 95% of file access activity is not audited by IT.

I usually recommend a phased approach to tackling each of the issues identified. The first phase is to identify data sensitive data, data owners and data that can be archived or deleted. The second phase is the more strategic process of applying policies to the classified data and controlling and auditing access to it.

Phase 1: Identification

The initial task of locating this sensitive data may be appear overwhelming given the size of a typical enterprise file server and that realisation that sensitive data could reside literally anywhere within it. Key to making this task more manageable is to reduce the overall amount of data in which there MIGHT be sensitive information by identifying the data which can be clearly classified as NOT sensitive. This can be extended further by identification of data which may be archived off potentially expensive enterprise storage and other data which no one is accessing at all. By categorising information in this way we are gradually narrowing down the portion of the data set which may possibly contain our sensitive information.

Categorisation by File Type

An important early step is to gain a high level overview of the file types that constitute the unstructured data set. This provides two important benefits:

  1. Quickly identifies files that would not contain sensitive information. Typically you could include PowerPoint and audio/video files in this category.
  2. Locates data which the business has no requirement to be centrally stored. Personal MP3s might constitute this category.

A data governance solution typically does this in a couple of ways. Firstly by reporting on the file types being accessed and the number of events on each and secondly by the locations of files based on their file extension.

Classification of known sensitive data

There are some basic criteria which can be used for data classification:

  • Time criteria is the simplest and most commonly used where different type of data is evaluated by time of creation, time of access, time of update, etc.
  • Metadata criteria as type, name, owner, location and so on can be used to create more advanced classification policy
  • Content criteria which involve usage of advanced content classification algorithms are most advanced forms of unstructured data classification

Use of an automated classification framework (like Varonis DCF) provides visibility into the content of data across file systems and can be utilised to locate data which is easily classified as sensitive. For example you could conclude that any file that contains a personal ID number is considered personal information and should be protected in line with appropriate guidelines.

Equally, any documents previously classified by their file properties or by keywords (e.g. “Company Confidential”) can be quickly located. These are example of “quick scores” in the reduction of data with unknown classification. Other examples of easily classified data include files containing:

  • Policy numbers
  • Phone numbers
  • Postal Codes
  • Bank account numbers
  • Credit card numbers
  • Passport numbers
  • Keywords
  • Personal (out of domain) email addresses

Identification of inactive directories

Enterprise file stores typically contain vast amounts of data that is no longer in use and therefore stale. It’s very difficult to determine where that data resides, so it remains in expensive file systems, possibly exposed to risk due to excessive permissions. This task can be greatly reduced with an automated solution to identify and report on inactive directories which may then be archived pending deletion. In many cases the amount of server space reclaimed during this stage will, in itself pay for the capital outlay of such a solution.

Identify data owner by folder

Having been through the processes above, the subset of data that remains unclassified is substantially reduced. The next step would be to classify the remaining data by involving the data owners. This would be done at strategic levels within the folder hierarchy. Organisational data owners could be your biggest asset in the battle to identify and locate which data is sensitive and that which is not.

Data owners should be making decisions and taking responsibility and correctly classifying their data. Without a data owner that understands the sensitivity, importance and organisational context, data cannot be managed and protected by the right people.

By analysis of permissions and directory services it is possible to identify folders closest to the top of the hierarchy where permissions for business users have been explicitly applied. These folders should have assigned data owners. An audit trail of every open, create, move, modify and delete on the file system should be kept. By analyzing this data over time, it is possible to provide actionable business intelligence on the probable data owner of any folder.

Identify data stored in other locations

Managing the enterprise file servers is not the final solution for protecting unstructured data. There are other locations onto which data can be stored which will need to be identified and managed. Mail servers and content management solutions (like SharePoint) can be managed using similar technology.

However, arguably a more difficult problem to solve is that of sensitive documents residing on the local disks of your network endpoints. Laptop users are particularly liable to drag documents onto the desktop so they can access them offline. The business likely has little or no insight to this unsecured data and becomes at risk of faulty business processes. With the data classification rules now largely understood they can be utilised in locating this locally stored information.

DLP and similar endpoint protection solutions will map and locate sensitive data stored on workstations and laptops. This can run in the background with minimal impact on productivity saving valuable time and improving efficiency of the data discovery process. Typically such tools allow logging and reporting on the use of this locally stored data and as such should be implemented as part of the data protection program.

Phase 2: Control of data by sensitivity level

With the majority of the data set classified, it is time to work again with the data owners to assign a sensitivity level to the data. The level of sensitivity should differentiate between valuable information that carries a high level of risk and other information that may be sensitive but carries less risk if exposed or lost. Common practice stipulates the following levels:

  • Confidential – Requires significant protection as disclosure may seriously harm the business
  • Private – Associated with an individual to whom disclosure might not be in best interests
  • Sensitive – Requires protection due to regulatory conditions
  • Public – Information that is already public knowledge

Policy based on Sensitivity level

Policies should be designed to provide details on how to protect information at varying sensitivity levels. Consideration should be given to the following issues:

  • Access control requirements
  • Marking/meta-tagging of files
  • Electronic distribution/transmission
  • Storage requirements
  • Retirement and disposal of outdated information

Organise & Restructure

With sensitivity level in mind the file stores may be organised and restructured. Data owners should be assigned at strategic levels in the folder hierarchy. These data owners will be the custodians of the information going forward and should be ultimately accountable that data residing under their jurisdiction is managed in line with current policy.

Data protection

A continued program of data protection should be adhered to. Central to this is the periodic re-scanning, auditing and reporting of information residing in the unstructured data environments. Further consideration could be given to data residing on users’ local hard disks. An endpoint protection solution can be implemented to periodically discover locally stored, sensitive information based on the data classifications that are now defined.