On auditing file usage

Since the time of Orange Book in the 80s three rules have been irreplaceable in IT security: always check the access rights, auditing all information usage, and never let the information leave secure domain in uncontrolled fashion. Proper mixture of authorization, stalking user activity, and limiting the used tools works still even nowadays when implemented properly.

In the major leaks that happened during the last a few years all of the previous failed. The users had bafflingly broad access rights to information, not everything was audited, and it was fairly easy to move the information outside the secured domain. As a result leaking was attractively easy, and getting caught was not apparent.

A while ago I took a look, out of curiosity, on products meant for file access auditing. Those would be the solutions that would fix the “auditing all information usage” part when customizing the information systems is not possible (COTS). I found a surprising amount of products with different feature sets and value propositions. A few of them had pretty steep price tags and fairly advanced features.

Based on what I found out I got excited about developing my own basic version, just to maintain my own skills and for the heck of it. After a few hours of reading MSDN, nerve wrecking C/C++ software development, jury-rigging, and it’s here. The quality is so-so (might have some memory leaks, although I tried to catch them all) and I had no precise specifications, but here is Claimsman:

https://github.com/mikkolehtisalo/claimsman

With the solution all file accesses cause events that will be forwarded to centralized log management system. I did not implement hashing the files, or taking samples, because those activities would probably have a noticeable performance hit on the target, but that would be trivial to add. What comes out of the box is default log management interface like the following.

claimsman

After the information is in the centralized log management system it is relatively easy to generate for instance a weekly report about all the file accesses. In conjunction with AD it is possible to get the manager information, run everything through a good PDF template generator, and email the reports. As a report every manager could get weekly report of all the files their subordinates have been working on.

After the knowledge of previous arrangement would spread that would discourage people from even attempting to conduct suspicious activities in the environments where materials of higher classification are being processed. The impact to overall security would in the long run be far more significant than the actual technical feature. The tools of IT security work at their best when they have a psychological impact. Absurd, but true. It’s not always the best to turn all the technical knobs to 11.

On the other hand, some level of concessions probably have to be made to ensure the privacy of users. At least in the lower security level environments this issue may rise, because the employees have, in many jurisdictions, commonly limited privacy rights to use the employer’s tools for private business, such as accessing private banking while on lunch break.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s