Watchmen – What can you report on?

Forget the film – the original comic book, by Alan Moore (probably England’s greatest comic book writer) is one of my favourite comics.

So with that not so subtle segway done what I want to talk about today is the third part of the triple “A”s of security.

For good security you must authenticate (A number one) who has access to your information. Then, once they have proven beyond a doubt who they are, that should authorise (the second A) them to access only that information they are entitled to and no more.

That leaves the third A – accountability. The question is – are people who access your information accountable for what they do? Could you prove to an annoyed client that it was not one of your team that had unauthorised access to their business secrets?

Microsoft considered the three “A”s when designing Microsoft 365 for Business – skipping over the first two I want to give you an idea of the report tool in the Compliance and System Centre.

There are a couple of things before you get too excited:

It is not the simplest of tools to use – understanding the criteria is sometimes a challenge
You need elevated administrator rights to use it – so it is not really a tool for HR to use to see if someone is working – although it could do that job
Once the log audit is done there are quite a few steps to go through before you get to evidence
And then that evidence needs interpretation

The type of question your Security admin can answer for you is:

Who accessed the “secret” folder and when
Which files did they look at in the secret folder?
Did they copy or synchronise those files?

These are all useful questions when carrying out a compliance investigation.

All activity has the IP address of the person who carried out the action recorded – not really proof of who did it, but if the IP is odd then it is a strong indication of foul play.

I have been involved in a number of cyber incident investigations where this reporting tool has been invaluable to explain what happened.

None of the investigations, I used the audit tool for were carried out for existing Octagon clients. We are exceptionally discreet when dealing with these tasks with very few people at Octagon knowing the names of the clients we are working for and we never name them in our promotional material.

So, if you are using Microsoft 365 for Business and need a compliance or security question answered, I can help you.

Clive Catton MSc (Cyber Security) – by-line and other articles

Cookie	Duration	Description
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_141969298_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.