How do you control and audit your data files?

the author to share a Real financial customer Security incident, the accident to customers with a certain economic losses.

Accidents after

Head of Operations and maintenance Department Receive front end Business Staff Feedback a Business Systems of the Some pages cannot be accessed , resulting in customer orders not being traded normally.

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/82/FD/wKioL1dn-7WQH2m4AAD8PqBF974021.png-wh_500x0-wm_3 -wmp_4-s_2373512275.png "title=" image 1.png "alt=" Wkiol1dn-7wqh2m4aad8pqbf974021.png-wh_50 "/>

after the system maintenance personnel Troubleshoot, find is a Business Systems a file in the was people I've modified it. . The head of the department ordered to trace the cause of the accident and responsible person.

Cause of the accident

As all operations personnel are required to access the target host through the Ming Royal Operations Audit and Risk control system (Fortress machine), the bastion machine can record the operation of all operations personnel in detail.

based on the file name, soonto find someone through a fortress machine.at some point in time,Login via bastion machineto theof the business systembackstage, first useSZ Commanddownloaded Afile, after a period of time, will be usedRZ Commandupload this file to the business system, directly overwrite the original file, resulting ina page of the business systemNo normal access.

Accident Conclusion

through the Fortress machine export download files and upload files, compare the contents of two files, found the contents of the 2 files are partially inconsistent, so the customer order page of the business system cannot be accessed.

Accident Recurrence

due to customer confidential information, the following can only be reproduced in the test environment of the accident scene:

(1) OPS personnel log into the system through the fortress machine, using before the SZ command, thetest.txt file content is "123456 111111"

(2) then use the sz command to download the file to the local

(3) to modify the contents of a test.txt file locally

(4) then use the rz-y command to upload files to the system background

(5) finally see test.txt 's content is "111111"

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M02/82/FD/wKiom1dn-9GRADTqAADKByIke-U450.png-wh_500x0-wm_3 -wmp_4-s_2316760886.png "title=" image 2.png "alt=" Wkiom1dn-9gradtqaadkbyike-u450.png-wh_50 "/>

Accident tracking

The audit record of the Fortress Machine is quickly located and can be exported to see if the contents of the file have been modified.

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M02/82/FD/wKioL1dn--iQo272AAA2iI4a384820.png-wh_500x0-wm_3 -wmp_4-s_3660268154.png "style=" Float:none; "title=" Picture 3.png "alt=" Wkiol1dn--iqo272aaa2ii4a384820.png-wh_50 "/>

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M01/82/FD/wKioL1dn--jyuotJAAA1hA-4-0w243.png-wh_500x0-wm_3 -wmp_4-s_3896797048.png "style=" Float:none; "title=" Picture 4.png "alt=" Wkiol1dn--jyuotjaaa1ha-4-0w243.png-wh_50 "/>

Accident risk

Transfer files in a variety of ways, such as SCP, SFTP, FTP, RDP (disk Mapping and clipboard), Zmodem, and so on, if not in a timely manner to prevent pre-prevention, in-control, post-audit, the consequences of unimaginable.

The potential pitfalls are:

(1) uploading malicious files or Trojans

(2) Stealing data Files

(3) Drag Library

(4) Intentional Attack

(5) unintentional Operation

......

Risk prevention Recommendations

Anheng information is based on years and numerous case experiences, providing our customers with a holistic solution for protecting data files in the area of secure operation and maintenance audits:

(1) through the Authority management function of the Ming Imperial operation and maintenance audit and risk control system, the relationship between the human and the server is regulated, and the Pre-prevention .

(2) through the Ming Imperial operation and maintenance audit and risk control System File Transfer control function, to do who have file transfer permissions, who do not have file transfer permissions, to achieve things in control .

(3) through the document audit function of the Ming Imperial operation and maintenance audit and risk control system, the person who has permission to transfer the files must keep the original files intact and do Post -event positioning .

(4) through the electronic work order approval function of the Ming Imperial operation and maintenance audit and risk control system, the person who realizes no file transfer permission can request to transfer the file, but it must be approved by the administrator before the file can be transferred, and the maintenance audit and risk control system can fully save the transferred files.

This article is from "Love the Pig" blog, please be sure to keep this source http://ifconfig007.blog.51cto.com/11026101/1791230

How do you control and audit your data files?