Tuesday, April 17, 2018

Keeping the Wolves at Bay

The old biblical adage to “beware of the wolf in sheep’s clothing” in many cases applies to system administrators. Unfortunately, their mission sometimes conflicts with the security department. They must provide computing resources to users and they want to do it as quickly as possible. Business matters! So, when a user wants access to data (all legitimate) they do their best to help. Unfortunately, that sometimes means putting user permissions directly on folders, adding the Everyone group because they can’t figure out the correct permissions, or putting a folder containing sensitive data in a place that is open to many people. 

Now that you have remediated a whole slew of folders with Varonis DatAdvantage, how to protect your glorious handiwork. There are number of things that we can do. Here are some of the steps that we would take. 
  1. Document your new standards and train the system administrators. Working with standard Windows tools is like exploring a cave with a flashlight. Possible but difficult. Teach them how to view permissions in DatAdvantage.
  2. Put in place detective controls (reports) to identify when changes are made that violate the new standards.
  3. Utilize an automated provisioning solution for the security groups that you have applied to the folders. Varonis has DataPrivilege, and there are other Identity and Access management solutions such as SailPoint and RSA Identity and Access Management.
 Here are some of the reports that we use to maintain the new permissions structure:
  •  Monitored Share – Global groups in Use (4b) This lists all the folders where global groups are applied. It should be blank. 
  • Monitored Share – Individual Permissions (12d) This lists all the folders where Individual Users are applied directly to a folder. It should be blank. 
  • Monitored Share – Folder Changes (1a) This lists any permission changes or new folders created at the top-level of the monitored Share folder. 
I know that you can run some of these reports across the entire environment, such as monitoring for global groups, but we set up them up as separate subscriptions for the most important shares and don’t deliver them if they are empty. That way you can send them to the system administrators as well as the security team. If they see violations of policy, we want to encourage them to repair them without anyone having to ask. After all, these wolves are on your side. 

Good luck keeping the wolves at bay!

Monday, April 2, 2018

Tracking High Value Targets

High value targets are resources that would be of great interest to people who should not have access to them.

These might be folders containing compensation information, the email mailbox of the CEO, or the database containing the credit card numbers of your customers. Knowing where that data is stored, used, and transmitted is a critical first step in making sure that you are doing your job as a security professional. Then align your security investments with protecting those high value targets. 

Before you go off and undertake a high-priced data classification and discovery project, please speak with your business leaders and get them to tell you what is important and where it is located. Then utilize your existing security tools to track activity to those assets.

Track high value targets with a SIEM. In an ArcSight implementation this can be done with asset categories and active lists. In the unstructured data world, the Varonis DatAdvantage suite gives you the ability to flag and tag these resources so that they can be easily identified, and special reports created to protect them.

Make sure that you have access provisioning and entitlement review processes in place to ensure that you are following a least privilege model. If you have 20 system administrators who have access to the compensation folder, that is a PROBLEM.

Only when you have the basic blocking and tackling in place should you can move up to the advanced class and start talking about data discovery, data classification, and data loss prevention solutions. Focus on what matter to the business! Protect the high value targets.

Tuesday, March 20, 2018

Stay Away from the DUPs

We call them DUPs (rhymes with pups) and we are not referring to duplicates.  What we mean are Direct User Permissions.  In the Microsoft world of CIFS shares you can provision access to folders in three ways:  direct user permissions, Active Directory groups, or through built-in groups such as Authenticated Users.  The problem with adding users directly to the Access Control List of a folder is when things change.  If someone gets a new role in an organization, no one is going back to all of the folders where they are provisioned and removing their access.  The same thing is probably true if they leave the organization.  Even if you disable or delete the user account, the Access Control Entry for that user remains.

Yesterday, in doing a review of the high value targets (the most sensitive HR and compensation folders) for a client, we found people with Full control on some of the folders, even though their accounts were disabled.  In one case, they system admin had left the organization six years ago.  They would have been far better off creating an AD security group and using that for access to the folders.  In that case, they would have deleted him from the group when he moved on from the company.  Then they would have dodged the nasty glare of the auditor.  So, stay away from DUPs and review permissions on your high value folders on a regular basis.

Wednesday, October 18, 2017

BSidesCT 2017

Had a very good time at BSidesCT 2017 with Tyler and The King from Castle Ventures.  The organizers did a very nice job, Webster Bank provided a great venue, and there were some very informative presentations.  While I was there I had the pleasure of meeting Doug White from Security Weekly.  Did a brief interview with him, which you find on YouTube.  We will be back next year.  In the mean time check out the Security Weekly podcasts.

Tuesday, May 23, 2017

Guarding your Cyber Castle

In the days of lords and ladies, knights and pages, the lord of the manor decided what was important and not important to him.  If it was important it stayed in the castle.  If it was disposable and easily sacrificed it stayed outside the moat.  Then all the lord’s efforts were spent defending the castle and watching the crown jewels, ignoring all that he owned outside the walls.
Organizations need to follow a similar approach and focus their efforts on protecting the crown jewels of the organization.  These are the trade secrets, critical deal files, sensitive employee information, and confidential customer data.  This approach allows you to prioritize your investments in security initiatives.  If that critical data is stored in a folder on a file server, we need to watch that directory like a hawk.   Here is checklist of what we want to do:

  • ·        Restrict access to the folder to people who have a legitimate business need
  • ·        Backup the data, with a least one off-line copy
  • ·        Track permission changes to the folder
  • ·        Track permission changes to the groups associated with that folder
  • ·        Collect user activity and send activity reports to the business owner of the data
  • ·        Identify unusual patterns of behavior by a user or a system
  • ·        Alert on access by a new user or system correlate with the access approval process
  • ·        Periodically review people’s access rights to the sensitive folder
  • ·        Classify the data in the folder with tags
  • ·        Track the motion of files once they leave the folder
  • ·        Encrypt the data

Of course, there are other things you want to do protect the infrastructure (firewall = moat), but with this focus on your important digital assets, the odds of defending your castle are much higher.

Saturday, May 13, 2017

The Cyber Shit has hit the Fan

The WannaCry ransomware outbreak that stated yesterday is troubling in several ways.

There Internet is a wonderful thing.  It has the changed the world in some many wonderful ways.  One of the keys to the success of the Internet, is trust.  We do business with people we never meet, we buy products from companies across the globe located in places we’ve never been, and we stay in other peoples’ homes (and let strangers stay in ours) simply based on a digital image.  That trust (and the Internet as a whole) is a fragile thing.  Resiliency was not bot built into the technologies we use and human emotions can only take so much.  The trust and faith we have and need will wear away as more and more bad things happen.

Certainly, the evil thugs who launched the malware should be despised by all. Unfortunately, it is not easy to find them and bring them to justice.  What is even more troubling is the behavior of the US government.  What “spying” and “intelligence” is worth the destruction that took place yesterday and continues to wreak havoc?  The NSA should immediately disclose any vulnerabilities it discovers to manufacturers unless we are engaged in an active war.  At this point the US government has no active declarations of war (and the War on Terror is as poor excuse to jeopardize every computer in the world) so it is time to totally revamp the Vulnerabilities Equity Process.  We need to protect all people against real cyber threats that occur every day rather than fighting some ephemeral threat that may or may not be stopped by leaving millions of computers to vulnerability to exploits.   

This is our wake-up call!

For a good technical explanation of how to deal with this, head to the Varonis blog for information on securing systems with DatAlert.