Whether you want to believe it or not, there’s a high probability that at some point in time your business will suffer a cyber incident that results in a data breach. It doesn’t matter how good your security is, software has bugs, and people make mistakes – and these two things will at some point in time result in an event that would be considered a data breach. (Unless you don’t store any Personally Identifiable Information (PII), including your employee’s Tax File Numbers and Date of Birth….)
Think of it this way, you don’t expect to have a car accident every time you get into a motor vehicle, but likewise you wouldn’t get into a car without putting on your seat belt, would you? In much the same way, we need to implement systems that can help us recover from a cyber incident and provide us with sufficient information that we can confidently identify the implications of the incident.
In recent months we’ve been brought in to provide Incident Response and Digital Forensic services for victims of cyber incidents. In some cases, we’ve been able to accurately identify the actions of the intruders and include or exclude certain potentially affected individuals (as in the case of Business Email Compromise). In other instances, we’ve spent weeks combing through forensically valuable artefacts and still have been unable to accurately say what was, or was not, accessed by intruders.
Why would this matter?
Let’s say, the person who handles your payroll has their email account hacked. Let’s say that person has worked for you for 10 years and you have a staff of 50. How many employees have you had in the last 10 years? How many contractors? Let’s say it’s 100 people.
Due to the nature of that person’s job, it is not uncommon for them to receive and send emails and documents which include things like name, address, date of birth, tax file number, next of kin, resumes, superannuation fund details, bank account details, contact telephone number, etc. As most of us use Outlook (our email) as a sort of file store slash database, there’s probably a high chance that copies of these emails and items exist in their mailbox.
On the one hand, if there was a detailed log (aka Activity API) of every email and attachment viewed by each person accessing that mailbox, a forensic analyst could review that log and identify what, if any, confidential material was accessed. This could be the difference between having to notify 100 individuals that their personal details _might_ have been accessed, including Tax File Number and PAYG summaries, which could be leveraged to perform tax return form; or being able to advise 20 individuals that you know their details were accessed and they should take steps to notify the ATO, etc; versus being able to confidently say that no one had their personal details exposed.
That’s one example, and an easy one to demonstrate and work with. The harder examples are when Remote Desktop Servers (RDP/RDS/Citrix/Terminal Servers/etc) get accessed, the intruder(s) have been in the system for a few months, and the account they accessed was able to access the businesses entire file system, but we are unable to confidently say what they have or have not done during that time.
What should you do?
No matter what system you use, get your IT Administrator / Managed Service Provider or whomever looks after your IT systems to set up some form of log collector or aggregator (on a different machine). Then have all relevant security, access and auditing logs from your servers, firewalls, proxies, etc forwarded to the log collector for long term storage. This means that no matter whether the logs rotate due to time or the intruders delete them from the systems, you still have a backup stored somewhere for review. (Think of it like a dash cam in your car….)
For Windows Servers, ensure that “Audit Logon Events” is enabled for Failures and Successes. This will help identify brute force attacks, as well as keep a log of the date, time, IP address and user account that was used to login to your systems.
Turn “Volume Shadow Services (VSS)” ON on Windows Remote Desktop Servers (Citrix, Terminal Servers, etc) as it may help investigators recover valuable artefacts even if they’ve been destroyed by intruders. And if possible, ensure those systems are backed up at least daily with an ability to recover data from 30 days prior if financially feasible – at the very least 2 weeks!
If you’re using Office 365, enable Auditing. If you’re using some other form of hosted service, ask your provider what account auditing do they do, how detailed it is, and how long do they store the logs they collect?
None of this is expensive to implement – most of it is built in and just needs to be turned on!
Not having it turned on can be the difference between having to notify EVERYONE you store information on, that their information may have been accessed, versus being able to let a very specific set of individuals. That can equate to hundreds of thousands of dollars in legal, forensic, public relations and notification fees, not to mention loss of reputation.