From a legal perspective, it is important that all employees have read and signed an acceptable use policy (AUP) in case legal action is required in the future (for prosecution or defense). To ensure all employees have this on-file, a comparison should be made between IT’s list of named users and HR’s list of AUPs on record.
An attacker’s preferred method is to become a user with elevated privileges as soon as possible. This can be done in 1 of 3 ways. First, he can use an existing privileged account by stealing the credentials. This can be mitigated by:
• Enforcing the use of strong passwords • Requiring 2-factor authentication
• Allow the use of privileged accounts only for specific tasks
The last bullet point – not using privileged accounts for day-to-day tasks – can cause some
inconvenience to users, but all operating systems normally provide a mechanism to temporarily elevate privileges if the user has sufficient rights:
• Linux – type ‘sudo’ within a terminal session for command line elevation, or ‘gksudo’ (‘kdesudo’ for Ubuntu) to start a graphical application with elevated privileges
• OS X – same as Linux, but the graphical command format is ‘sudo open –a {appname}’
Failing that, the attacker can elevate privileges an existing non-privileged account. To counteract such an action, close attention needs to be paid to logs resulting from the modification of existing accounts. Additionally, a change control process should be implemented for elevation of privileges requiring two or more employees to authorize such an action.
Finally, an attacker can create a new account with the desired privileges. Again, close attention should be paid to log files, in this case to entries detailing the creation of an account. As with elevating privileges, a change control process should be required for account creation. Company policies should dictate the default expiration for new accounts, minimum password strength and access for specific groups of users.
Privilege accumulation results when a user account is assigned more rights than are necessary to complete his or her job. Proper change control process can mitigate this condition.
Suspending an account is an important step in account management. Common reasons for doing so are: • Employee termination
• An account reaches is expiration date
• An employee is on a temporary leave of absence (for example, maternity leave or military duty) System administrators should periodically compart the list of active accounts with HR’s records to ensure an account was not suspended or terminated properly. Care should be taken to not delete accounts too soon when an employee leaves - suspension should be immediate, but deletion should be deferred in case some type of investigation into the ex-employee’s activities while employed needs to take place.
Backup Verification
Backups are essential to any disaster recovery plan, but are worthless if they do not work when needed. That is why backups need to be periodically verified to ensure they will work at the right time.
There are 3 primary types of data usually involved in backups:
User data files are user-created and maintained files such as spreadsheets or text documents. One of the biggest issues is that users are notorious for storing their files anywhere but the location that is routinely backed up. This makes it difficult sometimes to align backup processes with policies, regulations and laws.
Databases are large files in which server-based processes (such as SQL Server or Oracle) store data. Normally, there are ancillary files that contain related metadata (such as indexes) that must be backed up and restored together. Fortunately, most modern databases provide some type of means to back up the files without taking the database offline. Testing the restoration is usually more difficult as it can be very disruptive; many companies have separate servers that used to test back up restoration to avoid any type of live disruption.
Mailbox data is contained on mail servers, of which most companies have multiple instances of. Often, these servers back each other up, so that facility needs to be taken into account. Backups should be compliant with e-discovery (a judicial step of retrieving information used for legal proceedings).
As virtual machines become more and more cost effective, they are being used to some extent as a form of backup. Instead of backing up data in a proprietary format, a snapshot of the entire server is made. This has the added advantage of providing extremely quick restores, often in a matter of seconds.
As noted earlier, the verification of a backup can be very disruptive – as a rule of thumb, the less disruptive it is, the less confident a company can be that it will be effective in time of need. A balance should be achieved between the tolerance of users for disruption and the incurred risk if backups do not work as intended. An inventory of backup data should be maintained along with a schedule designed to ensure each is properly tested and verified. In the case of user data, a company must aggressively enforce policies to save user data to network shares where it can be properly backed up.
Creating a proper test plan for backups includes the following steps: • Develop scenarios that represent specific threats
• Develop a plan for each scenario that tests all mission-critical backups • Use automation to minimize effort to make it happen periodically • Minimize the impact on business so it can be executed regularly
• Ensure coverage so that every system is tested, though not in the same test • Document the results so you know what is working and what needs work • Fix or improve any issues you documented