Habeus Data - A Review

Habeus Data, by Cyrus Farivar, is written at a critical time in our history.  The ability of organizations, both governmental and commercial, to observe and collect vast amounts of information about our behavior is growing by leaps and bounds.  In my opinion we are probably at the early stages of the ability to perform continual mass surveillance.  What we have now is a far cry from what will exist in a decade, probably on a scale never before imagined.  This book provides some deep insights into a subset of the issues raised by the increased technical monitoring abilities used by law enforcement and is worth the read.

The subtitle of the book is “Privacy vs. the Rise of Surveillance Tech.”  Farivar, a technology journalist with Ars Technica, gives a very narrow look at the world of privacy.  The focus is on based on American laws and practices as dealt with in the criminal justice system.  The Fourth Amendment to the U.S. Constitution is central to the narrative of Habeus Data and it is repeated here:
 

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” 

The structure of the book is built around 10 Supreme Court cases and each is covered in a single chapter.  This is very effective as the author does an excellent job telling the story of the original crime and proceedings and how the appeals process turns each of these innocuous cases into a landmark defining the rights of all Americans.  There is continuity between the cases and the linkage is well written.  Farivar provides extensive end notes for those interested in further scholarship in the area.  If you want an education on the Fourth Amendment and current search and seizure rules, this book is a great place to start.

There is very little information on the larger topic of privacy as a right, except how it relates to criminal proceedings.  The introduction and last chapter, “Who Watches the Watchers?” raise some points and it would be helpful if those were further explored.  There is some discussion of the legislative process and how a few governmental bodies, such as Oakland are dealing with privacy in the criminal realm.  This may reflect the apathy of many Americans.  Beyond some simple debates after Edward Snowden’s leaks and the debates over the encryption of cell phones after the San Bernadino massacre, these topics are rarely discussed in public policy forums.  Certainly, there are no great efforts in the legislative bodies in the US to develop societal guidelines around privacy and individual liberty. This is a far cry from the European Union where privacy rights have gained much more importance. After the passage of GDPR, this will certainly continue there.

This is not a philosophical book and one is not going to get a background on what privacy is, why it matters, and how technology is changing how privacy is perceived.  One is far better off reading from the Electronic Frontier Foundation, and specifically the writings of John Perry Barlow, https://www.eff.org/john-perry-barlow, if you want thought provoking ideas on how we might approach the future if we want to remain “private” citizens.

Keeping the Wolves at Bay

The old biblical adage to “beware of the wolf in sheep’s clothing” in many cases applies to system administrators. Unfortunately, their mission sometimes conflicts with the security department. They must provide computing resources to users and they want to do it as quickly as possible. Business matters! So, when a user wants access to data (all legitimate) they do their best to help. Unfortunately, that sometimes means putting user permissions directly on folders, adding the Everyone group because they can’t figure out the correct permissions, or putting a folder containing sensitive data in a place that is open to many people. 

Now that you have remediated a whole slew of folders with Varonis DatAdvantage, how to protect your glorious handiwork. There are number of things that we can do. Here are some of the steps that we would take. 

1. Document your new standards and train the system administrators. Working with standard Windows tools is like exploring a cave with a flashlight. Possible but difficult. Teach them how to view permissions in DatAdvantage.
2. Put in place detective controls (reports) to identify when changes are made that violate the new standards.
3. Utilize an automated provisioning solution for the security groups that you have applied to the folders. Varonis has DataPrivilege, and there are other Identity and Access management solutions such as SailPoint and RSA Identity and Access Management.

 Here are some of the reports that we use to maintain the new permissions structure:

•  Monitored Share – Global groups in Use (4b) This lists all the folders where global groups are applied. It should be blank. 
• Monitored Share – Individual Permissions (12d) This lists all the folders where Individual Users are applied directly to a folder. It should be blank. 
• Monitored Share – Folder Changes (1a) This lists any permission changes or new folders created at the top-level of the monitored Share folder. 

I know that you can run some of these reports across the entire environment, such as monitoring for global groups, but we set up them up as separate subscriptions for the most important shares and don’t deliver them if they are empty. That way you can send them to the system administrators as well as the security team. If they see violations of policy, we want to encourage them to repair them without anyone having to ask. After all, these wolves are on your side. 

Good luck keeping the wolves at bay!

Tracking High Value Targets

High value targets are resources that would be of great interest to people who should not have access to them.

These might be folders containing compensation information, the email mailbox of the CEO, or the database containing the credit card numbers of your customers. Knowing where that data is stored, used, and transmitted is a critical first step in making sure that you are doing your job as a security professional. Then align your security investments with protecting those high value targets. 

Before you go off and undertake a high-priced data classification and discovery project, please speak with your business leaders and get them to tell you what is important and where it is located. Then utilize your existing security tools to track activity to those assets.

Track high value targets with a SIEM. In an ArcSight implementation this can be done with asset categories and active lists. In the unstructured data world, the Varonis DatAdvantage suite gives you the ability to flag and tag these resources so that they can be easily identified, and special reports created to protect them.

Make sure that you have access provisioning and entitlement review processes in place to ensure that you are following a least privilege model. If you have 20 system administrators who have access to the compensation folder, that is a PROBLEM.

Only when you have the basic blocking and tackling in place should you can move up to the advanced class and start talking about data discovery, data classification, and data loss prevention solutions. Focus on what matter to the business! Protect the high value targets.

Stay Away from the DUPs

We call them DUPs (rhymes with pups) and we are not referring to duplicates.  What we mean are Direct User Permissions.  In the Microsoft world of CIFS shares you can provision access to folders in three ways:  direct user permissions, Active Directory groups, or through built-in groups such as Authenticated Users.  The problem with adding users directly to the Access Control List of a folder is when things change.  If someone gets a new role in an organization, no one is going back to all of the folders where they are provisioned and removing their access.  The same thing is probably true if they leave the organization.  Even if you disable or delete the user account, the Access Control Entry for that user remains.

Yesterday, in doing a review of the high value targets (the most sensitive HR and compensation folders) for a client, we found people with Full control on some of the folders, even though their accounts were disabled.  In one case, they system admin had left the organization six years ago.  They would have been far better off creating an AD security group and using that for access to the folders.  In that case, they would have deleted him from the group when he moved on from the company.  Then they would have dodged the nasty glare of the auditor.  So, stay away from DUPs and review permissions on your high value folders on a regular basis.