User Access Reviews and Monitoring – CompTIA Security+ SY0-401: 5.3

It’s important to constantly validate your security posture. In this video, you’ll learn how access reviews and auditing can provide you with constant feedback about your security implementation.

<< Previous Video: PrivilegesNext: Cryptography Overview >>

How’s the security in your environment? Do you have the right permissions and settings so that people can access the files they need? And are you restricting the bad guys from accessing resources inside of your network?

The only way to know for sure is to perform some type of access review. This allows you to get into your systems and really understand how the security of those is performing across the board. You may be able to find misconfigurations or things that might have changed in your policies by simply looking over an auditing of what’s happening on your network today.

This auditing should occur relatively often, because you need to understand what changes might be happening on your network. You should, of course, look and see who’s been added to particular groups. You want to be sure a person who does not need access to an administrator group is not a member accidentally of that administrator group. You’d like to be able to review the access control lists and make sure that people have the correct access to resources on your network.

You also want to find any accounts that you might have configured but ultimately had nobody use them. Sometimes this can be done with normal login accounts to, for instance, your Windows domain. Occasionally, it might be a third party system, like a VPN system that you set up originally for someone, and then they never ended up using that VPN.

In those particular cases you have a potential security risk by having that account there. And if somebody does gain access to the proper credentials, they could then access the VPN through that available account. It makes much more sense to simply disable that account, so that nobody can use it. And, of course, if there any accounts that are unnecessary on your network, you want to be sure that those are completely disabled as well.

It seems like going through all of these different steps would take a lot of time. And if you did it manually, it certainly would. There’s many tools out there that you could use that go through not only these particular auditing points but many others as well. And they’ll identify any red flags for you so that you can then go back in and do some additional research to see if this is really a problem and determine what you can do about it.

This auditing process will very often look through all of the different event logs that have been created on your infrastructure equipment, in your file servers, and anywhere else on your network. These logs usually have a lot of information inside of them. And they’re usually specialize logs for application usage. There might be security logs that tell you when someone logged into the network and logged out and security types events. And, of course, there’s audit logs as well, so that you can keep track of who made a change, at what date and what time and be able to backtrack and understand exactly what has changed on your network or in your devices over time.

All of these event logs together allow us to create an audit trail. And we can really track to see what has happened in the past. One downside of storing all this information is that it takes a lot of room. In even a mid-size organization, you could have terabytes and terabytes of audit logs and event logs to go through.

You don’t really want to turn these off. There’s a valuable amount of information that’s there. And all too often, people will decide that that’s just too much space to have on their desk. And they’ll simply disable this completely.

It might make more sense to modify how much the log will save, so that at least you can go back a little bit in time and get some visibility into what’s going on. Ideally, maybe you should get more disk space to be able to keep much more log information in your environment.

Having all of these event logs allow us also to determine if particular resources may have been accessed improperly. This gives us a specific date and time when somebody gained access to resource. And we can also determine exactly the process they went through to get that access. This now allows us, as security professionals, to not only understand what type of risks we were at when that occurred, but now we can put the proper motions in place to prevent those from happening again.