Skip to main content
 
Splunk Lantern

Access to unencrypted resources

 

Access to critical resources should only be made over an encrypted connection. Especially in the context of a compliance mandate, encryption should be used for any channel to access in-scope resources. You need to detect when this is not the case—when unencrypted connections are being used to access in-scope resources—so you can determine potential misuse or unauthorized access, and potentially a deeper issue such as compromised host or network device.

Required data

This sample search uses the Cisco ASA source type. You can replace this source with any other proxy data or firewall data used in your organization, such as Check Point OPSEC LEA or Palo Alto Networks. 

Procedure

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=cisco:asa app=<application name> dest_port!=443
|table _time user app bytes* src_ip dest_ip dest_port

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype=cisco:asa 

Search only Cisco ASA data.

In this example, we specify the Cisco ASA data source, but your environment may only need the tag=network, or you may need to add other sources. 

app=<application name> Filter your results to the in-scope application(s) you are investigating. If you have more than one, use an OR operation to include them.
dest_port!=443

Exclude results with destination port 443 (HTTPS).  


You can replace this value with that of other ports that are known to enforce encryption. 


Removing this line from the search provides you an access audit trail for all resources. You can use it to identify whether a user accessed a critical asset, and whether that user’s activity during the login session included viewing sensitive data. However, application logs may be more effective than firewall logs for this purpose.

|table _time user app bytes* src_ip dest_ip dest_port Display the results in a table with columns in the order shown.

Next steps

Investigate why and how the application was accessed over an insecure connection. For in-house apps, you can down configuration settings. For SaaS apps, analyze your communication paths for a proxy that sends in cleartext. You could also potentially note a major bug in a SaaS provider, which is unusual.

GDPR Relevance: In-scope assets and applications store and process personal data. Ensuring that only encrypted connections are used to access those assets is an industry best practice and can be considered an effective security control, as required by Article 32. This is applicable to processing personal data from the controller, and needs to also be addressed if contractors or sub-processors from third countries or international organizations access and transfer personal data (Article 15). In the event that a Supervisory Authority executes powers to place an organization within the scope of a privacy audit, the organization must demonstrate compliance (Article 58). If the organization faces a personal data breach and individuals are impacted, those individuals have the right to demand compensation for material and non-material damage caused by the breach. The organization must prove that they have understood and addressed the risk appropriately and deployed proper countermeasures (Article 82). Capability to demonstrate that best practice was adhered to—that is, that only encrypted connections were used for accessing personal data—can help mitigate potential impact to the organization.

Finally, you might be interested in other processes associated with the Complying with General Data Protection Regulation use case.