Wednesday, December 29, 2010

Stop Monitoring a Directory in Varonis

There are several types of directories that you may not want to monitor at all in Varonis DatAdvantage. These might be temporary folders that are used by products such as disk archiving solutions that have a cache directory on each Drive that is archived. This will stop all event collection and permissions monitoring for that folder and any subfolders.
Go to each drive where you believe this is an issue, click on the folder to be excluding to select it. Then right click on the folder and select the “Stop Monitoring” option.




When you select the directory a warning dialog box appears asking you to confirm your choice.



If you click “Yes” then the system stops monitoring the folder immediately.

Tuesday, December 7, 2010

Wireless Security and Monitoring in Government Agencies

Ericka Chickowski has posted on article on DarkReading discussing the shortfalls of wireless security across government agencies. I offered several of my thoughts to Ericka on the topic which were cited, especially mentioned the need for Network Access Control solutions. Here is the article. Here is a link to the GAO report.

Friday, November 19, 2010

Who is minding your Data Stores?

I recently received the “Benchmark Study on Patient Privacy and Data Security” by the Ponemon Institute, that was released on November 10, 2010. One thing that always screams out to me from these reports is how few of the data breaches are detected by the organization that was breached. According to this study less than half (47%) were detected by a hospital employee and in a significant number of cases (41%) it was the patient themselves that noticed the breach.

When you look at statistics from Gartner and other industry analysts, much of the security spending dollars are going to preventative controls and a much smaller percentage are going to monitoring solutions and detective controls. Do we as a security professionals have that backwards?

In spite of significant investments in firewalls and anti-virus tools - generally the two largest categories overall - organizations continue to get breached and data continues to leave the castle. Are you focused enough on detecting when unusual activities are taking place in your company and spotting potential breaches?

Wednesday, October 13, 2010

Home Directory Data Usage

One of the neat things that you can do with Varonis DatAdvantage is monitor how much disk space your users' home directories are taking up. If you are like most organizations where all of the home directories are stored in a common directory on the file server, this is a snap.

Using the 4f report - "File System Objects List" create a report with two filters.
  • The first is: "Access Path" and should be set to the top level folder that contains the users' folders; such as "D:\home."
  • The second is: "Directory Depth" and should be set to 3 so you capture each user's folder on a separate line in the report; such as "D:\home\auser."

Then click on the "Extended Properties" tab and select the "File count" and "Total size in MB" options. Sort, the report on "Total size in MB" and away you go.

This will generate a list of all of the home directories with their associated disk usage, allowing you to identify users who are taking up an inordinate amount of disk space. Save this report to a spreadsheet and run this on a periodic basis and you will be able to track usage trends.

Tuesday, September 14, 2010

Slap on the wrist for Russian Hacker in RBS Case

Unfortunately, the Russian authorities only handed out a suspended sentence for Viktor Pleshchuk, one of the hackers who broke into the systems at RBS WorldPay Inc. They stole approximately $9 million from 2,100 accounts and Viktor essentially got off scot free.

Several inherent problems are revealed in this decision. First, the United States has no extradition treaty with Russia for these types of crimes. Since a large number of attacks originate from Russia, this is something that the State Department should be working as one of the top priorities in Obama's efforts to improve cybersecurity. If we cannot punish the bad guys, all of the reports and committees are of little use. Second, according to the story on Bloomberg, his lawyer's statement that “This is not a regular crime but a cybercrime and Pleshchuk didn’t really have a full understanding of the damage he was causing,” is comical.

These type of criminals hurt thousands of people on a daily basis and need to be severely punished.

Sunday, July 25, 2010

Where are AD Groups Used?

Utilizing Varonis DatAdvantage, one can determine how an Active Directory group is being used on a file server. To find where a security group is applied to a folder directly, run the 4a – Effective Permissions for User or Group report. You need to select each File Server that you want Varonis to investigate and since we are only interested where the group is in the “ACL” there are two options that need to be selected and set to True:
  • "Show only direct permissions"
  • "Distinguished unique"


This allows you to see every folder where the security group is directly applied.

Tuesday, July 6, 2010

Dealing with the CounterACT "Port Scan - SNMP" message

One of the challenges in managing the ForeScout CounterACT appliance is to deal with and clean up the false positives that arise from anomalous network behavior that is not malicious. For example, today, we received a set of errors from one particular server, 192.168.111.18, that indicated that it was performing SNMP port scans. ForeScout correctly detected that something unusual was occurring and classified it as a malicious event.

Every several hours the server was performing SNMP port scans on IP addresses that were no longer existed. What was causing these scans?


Upon further investigation, they were IP addresses for printers that had been moved and given new IP addresses. By running regedit and searching for one of the IP addresses we were able to determine that it was a printer that the server was looking for.

We went into the Control Panel, selected the printer in question, assigned the LPT1 port to the printer, deleted the old port, and then deleted the print queue. The problem was solved and another false positive was eliminated. Thanks John!

Wednesday, June 30, 2010

Warning - You Have Received a PDF file

With recent spate of vulnerability disclosures in the Adobe Reader and Acrobat programs it is time to take a big picture look at the PDF (Portable Document Format) format. The first observation that I make is that the PDF is not a strictly a static file; because of its potential for embedded JavaScript actions, it is an executable program. Since it is an executable program it needs to be treated as such from a security perspective. We need to have virus scanners aware of the executable functions within PDF files and warn us or inoculate us against the executable code that exists in the format.

Most people assume that a PDF file is a safe, immutable way to save and transmit unstructured information. Unfortunately because of the ability to create forms and JavaScript actions the PDF file has moved far beyond that; which is why the format has become so vulnerable to hackers. One solution that would stop this problem in its tracks would be for Adobe to create two different formats (PDF and PDX for example) and remove the JavaScript capabilities from the core PDF format. Until that happens we need to be wary of PDF files and take some of the following steps:

  1. Educate the user community that PDF files are inherently unsafe and should be treated with caution

  2. By default, disable the functionality to run JavaScript within Adobe Reader and use it only as an exception.

  3. Make sure that we have prevention tools in place to detect rogue PDF files.

  4. Make sure that we have deployed detective controls to notice when unusual behavior is taking place on a user’s workstation or on the network so that we can fight off the PDF-borne attacks.

For those who are interested in the latest patches, Adobe issued updates yesterday for Adobe Reader and Acrobat that deal with the Critical security issues that have been discovered in the current release 9.3.2 (and earlier versions). Here is the security bulletin from Adobe with links to version 9.3.3 of the software products.

Saturday, June 26, 2010

SQL Server Job History

In running Varonis DatAdvantage there are times when you want to look at the history of the nightly jobs for a longer period then the defaults provided by SQL Server 2005. These defaults are based on 'Maximum job history log size (rows)' and 'Maximum job history rows per job.' If you are monitoring a large number of servers than the system may only keep several days worth of history for each job. Where disk space on the SQL Server is not an issue one change the the delete option to purge data based on an overall duration, which can be specified in days, weeks or months. For example, we might want to retain 10 days worht of history to assist in debugging issues. To do that perform the following steps.


First run SQL Server Management Studio.

Then navigate to:
• Root
• SQL Server Instance
• SQL Server Agent
• Right click on SQL Server Agent



  • From here right-click on history.
  • Select the option to "Automatically remove agent history" and enter the duration that you want to keep the job history.
  • Click on OK and you are ready to run.

Wednesday, May 5, 2010

Justice Prevails

The recent convictions of the Sarah Palin email hacker, David Kennel, and the San Francisco system administrator, Terry Childs, are welcome events in the history of cyber crime.

These transgressions are not victimless; they affect everyone. One of the beauties of the Internet is its openness. That openness is only works if people feel safe on the Internet. When individuals take advantage of that freedom by abusing their privileges or infringing on the rights of others, it harms all of us by whittling away at that trust.

The Internet has revolutionized the way we live and that can only continue when people who violate the laws involving computer usage are punished severely.

Saturday, May 1, 2010

Is Terry Childs a Cyber Extortionist?

On Tuesday, April 27th, a jury of his peers, which included a network engineer, convicted Terry Childs of a felony for withholding administrative access to the City of San Francisco's networks by refusing to hand over privileged user credentials.

KTVU.com covers the story here.

His defense that his supervisors were not qualified to have the passwords is rather remarkable. He was a "privileged user" because his employer placed him in that position, not because of any rights he held. Childs' refusal to turn over the information to his superiors seems likes a pure case of extortion and a total misunderstanding of his responsibilities and I believe it is a good thing that he was convicted. Another case of the laws starting to deal with new threats that we face in the Information Technology world in the 21st century.

Saturday, April 3, 2010

SMTP Errors

The other day I was installing Varonis DatAdvantage for a customer and during the installation process received the following error, "The message could not be sent to the SMTP server. The transport error code was 0x800ccc15."


The first thing I wanted to check was that I had connectivity to the Exchange Server. So I used telnet to connect to port 25. That worked fine, so there was not a firewall in place blocking the connection. The Exchange server was set up to accept relays so that was not the problem.

After some investigation it turned out that McAfee VirusScan Enterprise 8.7.0 was the culprit.

Access Protection was enabled, so I reviewed the settings.

The issue was the rule to "Prevent mass mailing worms from sending mail" was blocking all traffic from the Varonis server. It was stopping all programs except those that are explicitly allowed from using SMTP to send messages.


Back to the McAfee server to add the programs in question and we are back in business.

Wednesday, March 17, 2010

Adobe Please Fix Your Software

I was configuring a new Varonis server today and needed to download Adobe Reader so that we can access the documentation. I went to the Adobe web site and clicked on the download button. When I finish the installation, what do I find out? That they are still installing 9.3.0 by default! This is the unpatched version that has been the subject of a number of exploits. If a random user who doesn't deal with security on a daily basis installed this, they could be hosed. I ran the updates, but many people wouldn't. Adobe, please release a version that includes the patches built-in.

Tuesday, February 23, 2010

Businesses Victims of On-line Bank Fraud

There have been a number of small business that have been getting ripped of through fraudulent wire transfers. In one example, Krebs on Security covers the details of how an IT consulting firm lost nearly $100,000 through wire transfers it did not make.

Customers need to make sure that their banks are using robust authentication, not just static passwords with additional questions to verify identity. These are too easily captured by keyboard loggers or other spoofing devices. The banks need to employ multi-factor authentication that cannot be victimized by the malware that is rampant throughout corporate America.

In addition, companies should be looking into keyboard encryption for computers that are accessing sensitive information. Please reach out if you would like to learn about how to defend you and your business.

Tuesday, February 16, 2010

Adobe Patches Reader and Acrobat Again

Security issues continue to crop up in Adobe Reader and Acrobat. Adobe has issued patches for Reader and Acrobat to correct security issues. Users should upgrade to version 9.3.1 of the software. Click here to see the Security Bulletin.

Saturday, February 13, 2010

Fatal System Error

We read every day about Eastern European crime syndicates that are involved in cybercrime, cyberwarfare, and other nefarious activities on the Internet. In many ways these organizations are block boxes, with very little information reported on who they are and how they work. Joseph Menn in his new book, “Fatal System Error,” tells the stories of two individuals, Barrett Lyon and Andrew Crocker, who have gone toe-to-toe with the evil hackers of the East. Menn has created a thrilling and informative work that delves into the specifics of these two Internet heroes.

The book starts off telling the story of a young self-taught computer whiz named Barrett Lyon. Barrett becomes an expert in fighting off Denial of Service attacks. For those looking for an in-depth technical discussion of how Barrett wards off the attacks you will need to search elsewhere. The specific approaches that Prolexic takes are not described here; which in entirely appropriate in the context of how this story is told. Most of Barrett’s initial clients were in the Internet gambling business and were located out of the United States. He founds a company, Prolexic to provide a secure hosting environment to protect his clients from the Distributed Denial of Services attacks. Unfortunately for Barrett, the politics involved in running Prolexic get in the way of its mission and he decides to move on.
One of the main goals of the attackers was to extort money from the gambling sites. After many episodes of defending against the numerous extortion attempts Barrett tries to fight back. He contacts the FBI on many occasions, without much success. However, in researching the attacks on BetCRIS, one of clients, he gets the involvement of Andrew Crocker of England’s National Hi-Tech Crime Unit.

Menn expertly transitions the story to tales of Andrew Crocker. Crocker’s goal is to identity the criminals in Russia and bring them to justice. In the telling of this story, Menn sheds significant light on to why convicted these foes is such a challenge. At the core of the problem is that the Russian government does not want these people prosecuted. On the local level bribes of police and judicial employees keep the criminals out of jail. At the national level the criminal masterminds are protected by high-level operatives in the Russian government. They touch on the periphery of the Russian Business Network and speculate that the Russian government overlooks the illegal activities of these groups because they want to use this expertise to support political aims such as the suppression of dissent and information in places such as Georgia and Estonia.

One of the conclusions that Menn and the investigators come to is that the protocols of the Internet need to be redesigned. They were developed by the US government to build a distributed, resilient network, as which they have been an enormous success. The protocols were not developed with security in mind; it was not a consideration 35 years ago. Policing the Internet with current policies is extremely difficult if not impossible because the countries of the world have different objectives and place different emphasis on these crimes.
If you want a look into the Belly of the Beast, Fatal System Error
, is a great place to start.

Monday, February 8, 2010

Updating Varonis DA Immediately

Varonis DatAdvantage updates the Work Area's File Permissions and User Information on a nightly basis. Sometimes, after performing significant changes to improve your security you want to get a view of the current state your server. To do that you need to run the nightly jobs. You can run those jobs manually in two ways. One is through the Configuration menu with the DA GUI. The other, which I prefer, is to go directly to the SQL Management Studio to perform the jobs so I can monitor their progress.


Here are the steps:
1) Run the AD Walk(s)
2) Run the File Walk for each server that you have updated.
3) When those jobs are finished run the Pull Walk.
After the Pull Walk is complete, you can restart the DatAdvantage UI and the permissions will be current.

Sunday, February 7, 2010

Harden Your Service Accounts

In many cases we have service accounts that need powerful privileges to perform their tasks. This power also means that there is an elevated level of risk associanted with these accounts. They could be used inappropriately to access resources without accountability, since they are not tied directly to a person. There are two steps that I recommend that people follow in locking fown these accounts. Both of these activities involve starting Active Directory Users and Groups and then selecting the Properties options on the selected service acccout. First, select the Terminal Services Profile and check the option to Deny this user permissions to log on to any Terminal Server. The screen shot is listed here:

Then we want to restrict the computers that the service account cal log into. This is found on the Account tab. Once on this tab, click on the Log On To command button. At this point enter the computer name(s) where the service account is used. This will limit the account to logging into only this machine.



Tuesday, January 26, 2010

Stop Monitoring a Server in Varonis

When you have a Windows server that is going offline, but you want to retain all the historical information in Varonis ( the events and permissions) here are the steps you need to follow.

From within the Configuration Screen select File Servers. Then move to the server that you want to decommission.
1) Uncheck all of the boxes for Collect Events.
2) Uncheck the box for Local Accounts.
3) For each drive make sure the Crawl File System is set to Disable.
4) Click OK and you are all set.


Friday, January 8, 2010

8 Predictions for 2010 on Document Management Security

Each year there seem to be more and more breaches in information security. Some only cause embarrassment; others could cause harm. Take a look at this list of my predictions that I prepared for AIIM. Could you be affected by any of these items? If so, start locking down your information effectively. I would love to hear your feedback.

Thursday, January 7, 2010

Adobe Issues Update on Security Issues with Reader and Acrobat

Adobe issued an advisory today giving more information about the securityissues with Adobe Acrobat and Reader. They plan to release a patch on January 12, 2010. Here is the security bulletin from Adobe.