1.8.2 General procedure for investigating traces of information being brought out
If information might have been brought out, you need to investigate traces of the information and quickly check whether there is any problem.
Using JP1/IT Desktop Management 2, you can check the following points: whether there are any traces of each computer being operated, whether an unknown device is connected to the network, and whether the security settings related to illegal access are specified for each computer.
To investigate traces of information being brought out:
- 1. Check operation logs.
-
By checking operation logs collected from each computer, you can check the operation status of each computer. If you find any trace of a third party login or any suspicious bringing-out operation, you need to identify the brought out data by checking operation logs, and then consider measures to be taken.
- 2. Check a newly connected device.
-
If an unknown device is connected to the network in your organization, information might leak out of that device. By searching the network, you can check whether there is any device newly connected to the network in your organization.
- 3. Check the security settings of computers.
-
If a computer is vulnerable to illegal access, that computer might be manipulated by a third party and information leakage might occur. Check the security settings of the managed computers, and then take necessary measures if there is any problem.
By following the above procedure, you can check whether there are any traces of information being brought outside.
- Organization of this subsection
(1) Checking operation logs
By checking operation logs collected from each computer, you can check the operation status of each computer. If you find any trace of a third party login or any suspicious bringing-out operation, you need to identify the brought out data by checking operation logs, and then consider measures to be taken.
You can check operation logs in the Operations Log List view, which is displayed by selecting Operations Logs in the Security module and then Operations Log List.
To check operation logs that do not exist in the database, import past operation logs into the management server. Because importing all operation logs requires a long time, you need to narrow down the target computers based on the brought out data, and then import operation logs.
You need to investigate the collected operation logs by data tracing, one by one. We therefore recommend that you narrow down target operation logs from several view points for investigation. For example, if information might have been brought out, check operation logs from the following view points to investigate operation logs:
- Check the operation logs during the time frame in which the relevant operation was performed.
-
If you already know the time frame in which the operation related to bringing-out occurred, you can efficiently check operation logs by narrowing down based on that time frame. In the list of operation logs, specify the value for Operation Time (Source) and the time frame as the filtering conditions to narrow down operation logs to be checked, along the time axis.
- Check operation logs by limiting the type of operation.
-
By narrowing down to operations related bringing-out, you can efficiently check operation logs. Using the filtering function in the list of operation logs, specify, for example, the following conditions:
-
Operation Type is File Operation, Print Operation, or Device operation.
-
Operation Type (Detail) is Logon, Copy file, Web Access (Upload), FTP (Send File), or Device category.
Use a filter with conditions such as Source, Department, Location, and User Name to narrow down the computers from which data was brought out.
-
- Check operation logs based on the computer from which data was brought out.
-
You can check whether data was brought out from a specific computer such as the server where important data is stored and NAS. In the list of operation logs, specify the value for Source and the computer name to check whether information was brought out from a specific computer.
If the result of checking finds that information might have been brought out, check with the user of the computer for which the operation logs were obtained about the circumstances, and then consider measures to be taken.
Related Topics:
(2) Checking a newly connected device
If an unknown device is connected to the network in your organization, information might leak out of that device. By searching the network, you can check whether there is any device newly connected to the network in your organization.
To view the search results, in the Settings module, select Discovery, Last Discovery Log, and then IP Address Range to display the IP Address Range view.
Check whether there is any unknown device in the devices displayed in the IP Address Range view. In the list of Last Discovery Log, use the Newly Discovered filter to quickly check a newly connected device.
If you find any unknown device, check it based on its network address.
Related Topics:
(3) Checking the security settings of computers
If a computer is vulnerable to illegal access, information leakage might occur. Check the security settings of the managed computers, and then take necessary measures if there is any problem.
Check the status of the security settings of computers in the Device List view, which is displayed by selecting Computer Security Status in the Security module and then Device List. A computer with the violation level Critical, Important, or Warning might have a problem with its security settings. By selecting the device you want to check in the Device List view and then selecting the OS Security Settings tab or the User-Defined Security Settings tab, you can check whether the status of each security configuration item is safe.
If you find any security configuration item that is not safe, you can forcibly change the setting to take necessary measures. Click the Enforce button. In the displayed dialog box, select the item for which you want to take security measures, and then click the OK button.
- Tip
-
You can also check the status of security settings in the detailed security report. To display the detailed security report related to the security settings, in the Reports module, select Security Detail Reports and then Security Settings Status.