10 Questions

for Assessing Data Security

in the Enterprise
Table of Contents

Executive summary 3

1. What sensitive data do I have? 4

2. What sensitive data do I have outside of secure locations? 5

3. Is any sensitive data overexposed? 6

4. Who can access sensitive data? 7

5. Are there any directly assigned permissions or objects with broken inheritance? 8

6. Who owns a particular sensitive file or folder? 9

7. Have there been any changes to permissions to sensitive files? 10

8. What activity is happening around sensitive data? 11

9. Has there been anomalous activity around sensitive data? 12

10. Are there any files that could endanger data security? 13

About Netwrix 14
Executive summary
It is hard to imagine an enterprise today that does not rely on file servers, SharePoint Server or Office 365 for
storing data, including valuable and sensitive files such as intellectual property and customer information.
This makes these systems particularly attractive targets for all sort of attackers, from anonymous hackers to
disgruntled employees. To prevent data breaches, ensure data integrity and availability, and comply with
various industry and government regulations, you need to establish proper security measures around the
sensitive data that you store.

Ensuring the security of your sensitive and business-critical information is a continuous process. You need
to stay aware of the data you store, regularly identify and mitigate risks to that data and constantly monitor
user activity around it. Answering the 10 questions in this eBook will help you determine how secure the
systems that store your sensitive data really are. These questions revolve around three cornerstones of data
security: finding sensitive data, understanding user access permissions to it and tracking suspicious activity
around it.

Some of these questions can be quite difficult to answer without a specialized solution, so this eBook also
details how Netwrix solutions can help you properly assess data security in your organization, overcome
your data security challenges and become more resilient to the cyber threats that endanger your sensitive
information.

3
1. What sensitive data do I have?
The volume of data that organizations store is growing rapidly. You simply can’t protect everything equally —
and not all data needs the same safeguards. Therefore, you need deep insight into which files are sensitive
or business-critical and therefore require protection the most.

Some organizations try to force their employees to classify each document they create, while others have
their IT staff go through every file share and assign data tags manually. But these are both time-consuming
and error-prone approaches. How can you know for sure that each user is accurate and consistent, or that
they all care?

To make matters worse, classifying data is a continuous job. Data is constantly flowing in. Moreover, even if
you have found all the pieces of data that are considered sensitive today, new regulations or changes in your
business can change your definitions of “sensitive” and “critical” at any time, requiring you to take a fresh look
at all your existing data.

Netwrix Data Classification automatically categorizes content on your file shares, SharePoint and other
structured or unstructured data repositories, ensuring accuracy and consistency while freeing up your
valuable time. It gives you a high-level view of what kinds of protected information you store on
premises and in the cloud, including bank card data, medical records and other PII, along with exactly
where that data is located and how much of it there is. Once you know what sensitive data you have,
you can prioritize your efforts and secure the locations with the highest concentrations of sensitive data.

Sensitive Files Count by Source

Shows the number of files that contain specific categories of sensitive data. Clicking the
"Categories" or "Source" link narrows your results down to a certain file in this report. Use this
report to estimate amount of your sensitive data in each category, plan for data protection
measures and control their implementation.

Content source Categories Files count

\\fs1\Accounting GDPR 1300

PCI DSS 585

\\fs1\Finance GDPR 715

HIPAA 250
PCI DSS 952

\\fs1\HR GDPR 1500

HIPAA 1085

4
2. What sensitive data do I have outside of
secure locations?
Organizations are well aware that certain departments, such as HR and Finance, work with critical and
sensitive data on a daily basis, so its security is already a priority. But you need to know right away if financial
documents or customer PII appears in a less secure location, such as a public folder.

With Netwrix Data Classification you can keep a tight grip on what sensitive information you have on
your file shares, SharePoint and other data stores to ensure that it is protected in accordance with
corporate security policies and regulatory standards such as HIPAA, PCI DSS and GDPR.

As organizations adopt technologies like Office 365, they need to watch for sensitive data moving to the
cloud, since employees can easily share it not just within the organization but externally, with anyone who
has access to the internet. Using Netwrix Data Classification, you can quickly discover what sensitive data
you have in SharePoint Online and OneDrive for Business and exactly where it is located so you can secure
it properly. For instance, you might choose to move your business-critical data out of the cloud to a
dedicated secure location or take steps to strengthen your cloud security measures.

PII Canadian Health Service Number

Clues Search Browse Working Set Related Graph Settings
PII

Canada (0 of 19)
Type: Classified
Canadian Health Find: i

Service Number (8 of 8)
Filter by URL: i

Suggest Clues Search Copy/Move Delete

Showing 2 of 2 record(s)

1 \\fs1\Documents\Medical\Report_2018.docx
Health service handles and protects patient information the Caldicott
Committee was set up to review the confidentiality and flows of data
throughout the NHS for purposes other than direct care, medical
research or where there is a statutory requirement for information.

2 http://enterprise.com/Documents/Healthcare.pdf
Stakeholder/Concept Description Access to HIS Health Information
System (HIS) The centralized Health Information System (HIS) maintains
all patient health and billing information for all IntraSystem Regional
Healthcare (IRH) locations and services.

3 https://enterprise.onmicrosoft.com/Customer Info/Health records.pdf

New health clinic is responsible for helping customers maintain and
improve their health. It ensures that high-quality health services.

5
3. Is any sensitive data overexposed?
When IT departments are busy and understaffed, it can be tempting to simply give users more permissions
than they need, rather than take the time to rigorously follow the least-privilege principle. Excessive
permissions can also be the result of honest mistakes or malicious actions. No matter the cause, the resulting
overexposed data is a huge risk you can’t afford to ignore.

Netwrix Auditor enables you to mitigate the risk of data exfiltration and limit your attack surface by making sure
that access rights are granted only to users who really need them. Quickly identify users and groups who have
permissions to folders they are not using, so you can restrict their access and lock down overexposed data.

Excessive Access Permissions

Shows accounts with permissions for infrequently accessed files and folders. Use this report for spotting
unnecessary permissions and preventing data leaks. Track permissions assigned to accounts directly or by
group membership.

Object: \\fs1\shared\Accounting

ENTERPRISE\A.Watson Permissions Means Granted Times Accessed

ENTERPRISE\N.Key Full Control Directly 0

ENTERPRISE\T.Simpson Full Control Group 0

You also need to verify that folders that large numbers of employees use on a daily basis do not contain
sensitive data. With Netwrix Auditor, you can quickly see which sensitive files and folders are exposed to the
largest numbers of users, so you can ensure that only eligible users can access financial documents, health
records or other regulated data, and thereby reduce your risk of a data breach or compliance failure.

Overexposed Files and Folders

Shows sensitive files and folders accessible by the specified users or groups, based on the combination of
folder and share permissions. Clicking the "Object path" link opens the "Sensitive File and Folder Permission
Details" report. Use this report to identify data at high risk and plan for corrective actions accordingly.

Group: Everyone

Object path Categories

\\fs1\Accounting\Contractors GDPR
PCI DSS
PII

\\fs1\Accounting\Payroll GDPR
PCI DSS

6
4. Who can access sensitive data?
It is not enough to remove excessive user permissions from files and folders containing sensitive data one
time. On a regular basis, you need to check who has access to what to make sure that only eligible users
have access to critical data so you can protect it from unauthorized access that could result in data leaks and
thereby minimize the risk of non-compliance.

However, collecting permissions across file shares or SharePoint sites is not an easy task. User permissions
can be assigned either directly or via group membership. Moreover, each user can be a member of a group
nested inside of one or more other groups that have different sets of permissions to the same resources.
To determine a particular user’s effective permissions to sensitive data, you need to gather details about
which groups have what access rights to each file and folder containing sensitive data, and then compare
this information with what groups a user is a member of. Most administrators simply do not have time to
complete this task while working on their primary duties.

Moreover, because of SharePoint’s complex permission structure, it can be particularly difficult to

determine who has access to what data on your sites. For instance, some lists within a site have fine-grained
access levels, while subsites can have both unique and inherited permissions.

Netwrix Auditor provides complete visibility into user permissions across file servers and SharePoint,
removing the burden of manually collecting permissions assignments. It helps you quickly spot unusual or
improper user permissions, such as a web developer having full control over an HR folder, so you can revise
or revoke them as required to maintain data confidentiality and enforce the principle of least privilege.

Sensitive File and Folder Permissions Details

Shows permissions granted on files and folders that contain certain categories of sensitive data. Use
this report to see who has access to a particular file or folder, via either group membership or direct
assignment. Reveal sensitive content that has permissions different from the parent folder.

Object: \\fs1\HR\Europe (Permissions: Different from parent)

Categories: GDPR

Account Permissions Means granted

ENTERPRISE\J.Miller Full Control Group

ENTERPRISE\A.Clark Full Control Directly
ENTERPRISE\L.Adams Full Control Group
ENTERPRISE\P.Young Full Control Group
ENTERPRISE\M.Lee Full Control Group

7
5. Are there any directly assigned permissions
or objects with broken inheritance?
Security best practices for user permissions management and data access governance recommend granting
access permissions to users via group membership rather than directly. Otherwise, you will have to monitor
both user group membership and directly assigned permissions to each file and folder, which is a tedious and
error-prone process. By granting permissions to users exclusively via groups, you will simplify control over user
permissions and will be able to ensure that employees have only permissions to do their jobs much easier, and
thereby minimize the risk of data leaks and compliance failures.

You should also be on the lookout for broken inheritance. Broken inheritance on securable objects, such as
folders on your file shares or SharePoint libraries, can keep you unaware of unauthorized users having access
to sensitive data, which may put its integrity and availability at risk.

Netwrix Auditor shows exactly how user permissions were granted on both file servers and SharePoint, so you
can quickly pinpoint any that were assigned directly and work with business owners to either assign the
permissions via group membership or remove them. Netwrix Auditor also identifies objects with broken
inheritance so you can take action to protect your sensitive data.

SharePoint Site Collections with Broken Inheritance

Shows the list of site collections containing objects with broken inheritance. Use this report
to discover inconsistent set of permissions. Clicking the Site collection link opens the "SharePoint
Objects with Broken Inheritance" report, which shows all objects with broken inheritance within
one selected site collection.

Total site collections count: 4

Site Collection

http://sp.enterprise.com/Projects
http://sp.enterprise.com/Design
http://sp.enterprise.com/Marketing
http://sp.enterprise.com/HR

8
6. Who owns a particular sensitive file or folder?
It’s important to know who owns each sensitive file or folder so you can work with them to periodically verify
that the right users have appropriate access to the data. After all, it’s the data owners who are in the best
position to say who should have access to critical assets. If you spot a problem, such as a user repeatedly trying
to read a particular folder, you need to contact the data owner to determine whether it is a real incident you
need to dig into or whether the user has just joined a new project and should be granted access to the folder.

Netwrix Auditor helps you secure sensitive data appropriately by showing which users own sensitive data, so
you can involve them in the process of validating user access rights.

Sensitive Files and Folders by Owner

Shows ownership of files and folders that are stored in the specified file share and contain selected
categories of sensitive data. Use this report to determine the owners of particular sensitive data.

Owner: ENTERPRISE\E.Anderson

UNC path Categories

\\fs1\HR\Annual Report PII

\\fs1\HR\Compensation & Benefits PII
\\fs1\HR\Exit Interviews PII, GDPR

Any change to file ownership increases the risk of unauthorized access that could result in the loss of sensitive
data. Control this risk by keeping track of all file server changes, including changes to data owners. With details
about the names of the old and new owners and who made the change, you can be sure to get to the bottom
of each incident.

File Server Changes

Shows created, deleted, and modified files, folders, shares, and permissions.

Action Object Type What Who When

Modified File \\fs1\shared\Accounting\ 1/12/2017

ENTERPRISE\
Balance Sheet.xls 3:05:11 AM
J.Smith
Where: fs1
Ownership changed from “BUILTIN\Administrators” to “ENTERPRISE\J.Smith”

Modified File \\fs1\shared\Accounting\Debts.rtf ENTERPRISE\ 1/12/2017

J.Smith 3:05:11 AM
Where: fs1
Ownership changed from “BUILTIN\Administrators” to “ENTERPRISE\J.Smith”

9
7. Have there been any changes to
permissions to sensitive files?
In a corporate environment, any improper change to permissions could bring critical business processes to
a halt or put data confidentiality at risk. To avoid these issues, you need to regularly review all recent changes
to permissions to sensitive data or get alerts on such changes to enable speedy response.

Netwrix Auditor simplifies monitoring of changes to permissions across your file servers, SharePoint and
SharePoint Online. It provides the actionable intelligence you need, including the critical before and after
values for each change, so you can track down privilege escalation in time to prevent data leaks.

Search WHO ACTION WHAT WHEN WHERE

Action “Modified” Details Permissions

Open in new window SEARCH Advanced mode

Who Object type Action What Where When

ENTERPRISE\ List Modified http://enterprise.com/ http://enterprise. 11/01/2018

S.Smith Lists/Marketing com:34427 01:17:14 PM

Permissions: - Added: “ENTERPRISE\T.Simpson (Allow: Create files / write data, Create folders / append data)”

J.Carter@ Document Modified https://enterprise. https://enterprise. 11/01/2018

enterprise. onmicrosoft.com/sites/ onmicrosoft.com 01:14:01 PM
onmicrosoft. HR/shared/candidates/
com Peter Oneil.pdf

Permissions: - Added: "User Account Administrator (Edit)"

ENTERPRISE\ Folder Modified \\fs1\Management\ 172.12.2.45 11/01/2018

J.Chan Finance 01:10:49 PM

Permissions: - Added: “ENTERPRISE\E.Nelson (Allow: Create files / write data, Create folders / append data,
Write extended attributes, Write attributes) Apply onto: This folder only”

10
8. What activity is happening around
sensitive data?
Of course, simply knowing who has what access permissions isn’t sufficient to keep your data secure; it is also
absolutely necessary to track exactly how these users use their privileges. Otherwise, you might miss deliberate
or accidental actions that can threaten the confidentiality, availability or integrity of your sensitive data.

Netwrix Auditor provides a coherent picture of activity with sensitive data so you can quickly discover threats,
such as a user repeatedly attempting to read customers’ personal information or a departing employee
deleting a large amount of business-critical data. This insight enables you to quickly detect activity that could
otherwise lead to data exfiltration and compliance failures, and make more informed incident response
decisions in less time.

Activity Related to Sensitive Files and Folders

Shows all access attempts (failed and successful changes, and successful and failed read attempts)
to files and folders that contain certain categories of sensitive data.

Action Object type What Who When

Read (Failed File \\fs1\Accounting\ ENTERPRISE\ 11/01/2018

Attempt) Payroll M.Smith 2:10:04 PM
Details
Where: fs1
Workstation: 192.168.77.25
Categories: PCI DSS

Read (Failed File \\fs1\Accounting\ ENTERPRISE\ 11/01/2018

Attempt) Payroll M.Smith 1:48:13 PM
Details
Where: fs1
Workstation: 192.168.77.25
Categories: PCI DSS

Removed Folder \\fs1\Physics\Student ENTERPRISE\ 11/01/2018

information N.King 1:37:02 PM
Details
Where: fs1
Workstation: 178.24.12.0
Categories: GDPR

11
9. Has there been anomalous activity
around sensitive data?
Because file servers typically have a huge volume of activity, it is important to have a birds-eye view of what’s
happening with the data there. In particular, being able to spot abnormal spikes in data access or
modifications across multiple servers can help you respond quickly to automated attacks, which typically
generate a large number of events.

With the consolidated statistics on data usage patterns across your file servers that Netwrix Auditor provides,
you will be able to immediately detect and investigate suspicious activity spikes that might indicate threats.

It’s also important to have a high-level view of each user’s actions across your IT environment so you can spot
malicious insiders or user accounts that have been taken over by attackers. Netwrix Auditor aggregates all
anomalous user activity to identify high-risk threat actors and enables you to quickly conduct an in-depth
investigation and determine the best response.

User Profile (ENTERPISE\J.Smith)

Home Behavior Anomalies (ENTERPRISE\J.Smith)

RISK SCORE BY TOP FIVE ALERTS Last 30 days

ENTERPISE\J.Smith
1140 Non-Whitelisted Program Launched on DC
10
2280
600 Creation of Potentially Harmful Files Total risk score: 2280
540 Interactive Logon to DC
Show user activity

Alert time Alert name Risk score Status Filters

10/2/2017 6:59:49 AM Creation of Potentially Harmful Files 60 Active Customize view
All filters selected
Details Linked actions

Alert name: Creation of Potentially Harmful Files Show all user activity Hide reviewed anomalies
Risk Score: 60 Show this activity record
Who: ENTERPRISE\J.Smith
Object type: File
Action: Added Actions
What: \\FS1\Shared\Finance\Reports.exe
Where: fs1.enterprise.com Mark all as reviewed
When: 10/2/2017 6:59:49 AM
Refresh

10/02/2017 6:30:55 AM Non-Whitelisted Program Launched on DC 40 Active

10/2/2017 6:06:04 AM Non-Whitelisted Program Launched on DC 40 Active

10/2/2017 6:00:10 AM Interactive Logon to DC 30 Active

12
10. Are there any files that could endanger
data security?
Finally, the presence of harmful files in your environment can lead to data security issues. For instance, an
executable file can spread malware that will encrypt, delete or export business-critical files, disrupting your
business and leading to data breaches and compliance failures.

Netwrix Auditor keeps you current on user activity with potentially harmful executables, installers, scripts
and registry keys on your file shares and SharePoint sites, so you can quickly investigate and take action
before your organization suffers damage.

Potentially Harmful Files – Activity

Shows changes and access to potentially harmful files, such as executables, installers, scripts,
and registry keys, on your file shares and SharePoint sites. These files may be malware, viruses,
or inappropriate distributives, and should not be stored on shared resources. Use this report to
track incidents and prevent security threats.

Data Source: File Servers

Action What Who When

Read \\fs1\Shared\IT\MFCMAPI.msi ENTERPRISE\J.Carter 11/1/2018

Session ID: 5aa62a65-0000-0000-01d4-71c349ea2444 2:14:49 AM

Read \\fs1 \Shared\IT\Bitcoin Miner.exe ENTERPRISE\J.Carter 11/1/2018

Session ID: 5aa62a65-0000-0000-01d4-71c349ea2444 2:14:49 AM

Data Source: SharePoint

Action What Who When

Added https://enterprise.com/sites/HR/Trojan.js ENTERPRISE\S.Smith 11/1/2018

1:36:06 AM

13
 About Netwrix
Netwrix is a software company that enables information security and governance professionals to reclaim
control over sensitive, regulated and business-critical data, regardless of where it resides. Over 10,000
organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value
of enterprise content, pass compliance audits with less effort and expense, and increase the productivity
of IT teams and knowledge workers.

Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc.
5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

For more information, visit www.netwrix.com.

Next Steps
Free trial – Set up Netwrix in your own test environment: netwrix.com/freetrial

In-Browser Demo – Take an interactive product demo in your browser: netwrix.com/browser_demo

Live Demo – Take a product tour with a Netwrix expert: netwrix.com/livedemo

Request Quote – Receive pricing information: netwrix.com/buy

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608

Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
565 Metro Place S, Suite 400 Switzerland: +41 43 508 3472
1-201-490-8840 netwrix.com/social
Dublin, OH 43017 France: +33 9 75 18 11 19
Germany: +49 711 899 89 187
5 New Street Square +44 (0) 203 588 3023 Hong Kong: +852 5808 1306
London EC4A 3TW Italy: +39 02 947 53539