Varonis Privacy and Trust Report

April 26, 2013

Even in an age of social media and voracious over-sharing, there are still times we need privacy online. When we engage in old-fashioned point-to-point communication, we expect the person or business at the other end to ensure that our interactions remain private. But it’s complicated.

In a new study conducted by Varonis, 91% of respondents say they trust businesses to keep their data safe despite a rise in breaches that now affects nine out of ten companies. In addition to expecting absolute security from service providers, the survey shows that 53% of consumers would be willing to pay a premium for organizations that reliably protect their data.

At the same time, consumer online habits have room for improvement. Though almost three out of four password protect their mobile phones, an alarmingly high 67% say they send unencrypted personal information in their emails.

Download the full report to learn how consumers deal with security and privacy challenges in their digital lives.

Download the Report

Enjoy, share, embed our infographic:

Varonis Privacy and Trust Report

Leave a Comment » | Managed Service Hosting, Retail IT Solutions, Marketing | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

Internal Data Loss is Riskier Than You Think

April 19, 2013

In an excellent blog post, Gartner research director Anton Chuvakin poses the question: is an Excel spreadsheet full of credit card numbers on a poorly permissioned internal file share considered a data breach?

Many information security pros and even some DLP vendors would answer “no” because the risk of data loss is implied, not actual.  But I think that is an overly optimistic stance.  To me, this is equivalent to saying, “I know there’s a hole in my roof, but it hasn’t rained in a month, so it’s only an implied risk.”

Anton astutely points out that, in every large organization, you can bet your mortgage on there being unauthorized access to your environment, facilitated by any number of factors including, but not limited to: subpar authentication, BYOD, infected endpoints, or an Active Directory that looks like a rats nest.

Chuvakin says:

 ”The phenomenon of “internally lost data” is way more pervasive than most people think. I’d bet if you think that it is pretty pervasive, then it is EVEN MORE pervasive. Confidential, regulated and “merely” sensitive data on “all access” internal file shares, SharePoint boxes, team web servers, internal blogs, etc is literally all over the place.”

We can confirm this phenomenon as it’s one of the main reasons organizations evaluate Varonis.  We’ve written extensively on the Everyone Problem.  Trust us, this is actual risk.  So what do we do about it?

The Sniff → Scan Approach

Dr. Chuvakin talks about how well the Sniff → Scan approach has worked for some organizations: sniff the network to see what’s leaking and then scan your storage environment to figure out where that data lives:

“[Organizations] first saw *it* on the wire, got mad – and then got curious: just where exactly is it stored internally? “Oh, in 537 different places!”  Next they fought the battle for reducing the internal exposure and then – surprise! – the occurrences of that piece of data being seen on the wire decreased as well…”

The trouble with most DLP solutions that help with data discovery is that, once the data of interest is found, you’re on your own.  There’s no operator’s manual for reducing the exposure in a safe, methodical way without doing collateral damage to the business.  Once you’ve pinpointed where leaky data lives, wouldn’t you love to know: Who can access it? Who’s using it? Who is responsible/is the data owner? How to reduce access down to a least privilege model without cutting off people who need the data to do their jobs?

The only way to answer these questions is to combine other metadata streams with the classification information.  If you’re in the information security space, you’ll start to hear the term Context-Aware Data Loss Prevention, if you haven’t already.  Analysts have begun putting a lot of weight on the ability to determine the context of data and its usage in order to make intelligent decisions about protecting it.

Anton concludes:

“So, if you got [sic] a DLP tool, plan for using its discovery capabilities. Hit those shares, SharePoints, team servers, intranet web sites, etc, etc.  And, yes, you need a process, not just a tool!”

For an in-depth look at the Varonis process for preventing internal data loss, check out ouroperational plan blog series (which starts with data classification).  And if you’re interested to see how the Varonis Data Governance Suite brings context to DLP, let us show you!

Also, have a look at Anton Chuvakin’s blogs here and here.  He’s one of the most entertaining and prolific writers on data protection.

Leave a Comment » | Application Hosting, Managed Service Hosting, Retail IT Solutions, Marketing | Tagged: , , , , , , , , , , , , | Permalink
Posted by david ricketts

5 Steps to Get Data Owners Started : What to do with my data

April 8, 2013

During a recent conversation a customer asked if we had a Getting Started Guide for Data Owners. After using Varonis to identify and assign owners, one of the new data owners asked, “What am I supposed to do now? What do data owners do?”  In order to help him—and anyone else in this situation—I created 5 high-level steps business users can follow to get started as a data owner.

Step 1: Take inventory of your data and confirm ownership

One of the first things data owners should do is review the data for which they are responsible; IT should provide them a report listing all the folders, SharePoint sites, etc. that they own. Owners should carefully review this report and confirm with IT that they are, in fact, the correct owners of this data. It is also important that they understand which, if any, of these folders contain sensitive data, which folders are open to other groups in the organization, and which teams they expect to collaborating with.

Once they have reviewed their data assets, they will be able to start governing and protecting their data effectively. In addition, they should determine if other users will need to be involved in the authorization process (delegated “authorizers” for specific folders), and coordinate with them on how access requests will be processed.

Step 2: Review permissions/users with access

Once they’ve confirmed ownership and they understand the types of data contained in these folders, the next step would be to perform an initial Entitlement Review.  These can either be done manually with IT provided lists of people to review, or with automated solutions, like Varonis DatAdvantage and DataPrivilege.

During an initial entitlement review, data owners will review which users have access to which data and make decisions about which users should be removed or added. Solutions that provide automated entitlement reviews, like DataPrivilege, automate this task end to end, providing actionable information to data owners, (e.g. recommendations based on access activity and cluster analysis) and effect changes to the appropriate ACL’s and groups without IT intervention.

It is important that this step be carefully performed, whether manual or automated, as this will be the first step in cleaning up excess access and ensuring that only the right people have access to data.

Step 3: Ensure all requests are processed for the appropriate reasons

Once owners have performed their initial review, they should now be in “maintenance mode” and ongoing data ownership activities shouldn’t take much time– they’ll mostly need to approve/decline access requests as they come up, either with an automated solution (like DataPrivilege) or through a manual process. As a best practice, every access request should ask the requestor to enter a reason for requesting access, either selected from a menu of legitimate reasons, or manually entered.

Data owners should consider access requests carefully, especially when the data they’re managing is sensitive:

  • What data are they requesting access to?
  • If I grant access, is there anything in that folder that they should treat as confidential?
  • Should access be granted permanently, or temporarily?
  • If access should be granted temporarily, how will we remember to revoke it? (Manual process or with automation like DataPrivilege)

Step 4: Do periodic entitlement reviews

On a regular basis—once a quarter, every 6 months, etc.—IT should require owners to complete an attestation, or entitlement review. This will ensure data owners review any changes or new recommendations made since their last review and ensure that organizational changes have not granted unwarranted access. Owners should have the option to specify where access should be restricted or stay the same, and a record of their decisions should be kept. Entitlement reviews help organizations efficiently maintain a least privilege model.

Step 5: Review access statistics on your data

If available, data owners should have the ability to access a dashboard which includes permissions and access activity relevant to their data, as with DataPrivilege’s Self-Service Portal. Data owners can make better decisions if they are able to see who is accessing their data, which folders are most accessed, least accessed, or stale, and who is accessing folders that hold sensitive data.

Conclusion

While there are a lot more details on data ownership, we hope this list provides a starting point for Data Owners on how to govern their data effectively. For more information you can visit our collection of blogs on data ownership or download our whitepapers from our resource center.

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , , , , , | Permalink
Posted by david ricketts

Cost of data and computer security: rising and fast

March 15, 2013

Costofsecurity_rev

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , | Permalink
Posted by david ricketts

The growing threat of insider fraud not a top security priority for organizations

March 5, 2013

An Attachmate sponsored Ponemon Survey indicates the growing threat of insider fraud is not a top security priority for organizations which is proving to be a costly mistake.

On average, organisations experience approximately one fraud event per week, according to information from the second annual Attachmate and Ponemon Institute survey, “The Risk of Insider Fraud

However, only 44% of respondents say their organisation views insider fraud prevention as a top security priority, a perception which has declined since 2011.

The average cost of a data breach in a 2011 study was $194 per lost or stolen record

The survey reveals some alarming data security trends:

  • On average, it takes 87 days to first recognize that insider fraud has occurred and more than three months (105 days) to get at the root cause of the fraud.
  • 79% of respondents say that in their organization a privileged user has or is very likely to alter application controls to access or change sensitive information and then reset the controls.
  • 73% of respondents, an employee’s malfeasance has caused financial loss and possibly brand damage.
  • 81% say they already had an employee use someone else’s credentials to gain elevated rights or to bypass separation-of-duty control
  • 48% of respondents say that BYOD has resulted in a significant increase in fraud risk
  • 77% of respondents say the lack of security protocols over edge devices presents a significant security challenge and risk

This data demonstrates the invisibility of employee actions across an enterprise,” said Larry Ponemon, chairman and founder of Ponemon Institute. “While organizations may have policies and procedures to thwart insider fraud, it doesn’t mean employees will remain compliant, particularly with the rise of Bring Your Own Device (BYOD) practices

Data security and insider threats continue to be a challenge for organizations, particularly as BYOD brings complexity to enterprise risk management,” said Christine Meyers, director of Attachmate’s enterprise fraud management solutions. “Next-generation enterprise fraud management solutions, such as Attachmate Luminet, are able to correlate cross-channel activity, score risk and provide a screen-by-screen replay of what actually occurred. Add to that the proven deterrence factor that arises from being able to see and monitor use and abuse, and you can see why customers choose to deploy this technology for fraud detection

Fraud statistics

  • On average, organizations have had approximately 55 employee-related incidents of fraud in the past 12 months
  • More than one-third say that employees’ use of personally owned, mobile devices has resulted in malware and virus infections that infiltrated their corporate networks and enterprise systems and another 26% it is very likely to occur
  • 61% rate the threat of insider risk within their organization as very high or high
  • 23% say insider fraud incidents existed six months or longer before being discovered and 9% could not determine when they occurred.
  • 55% of organizations say their organization does not have the ability/intelligence to determine if the off site employee’s non-compliance is due to negligence or fraud

Threats from BYOD, Mobility & Edge Devices

For the first time the study asks questions about the effect Bring Your Own Device (BYOD), mobility and edge devices have on the risk of insider fraud. We define BYOD as the employees’ use of their personally owned mobile devices (typically smart phones, tablets and laptops) for both work and non-work activities.

An edge device is a physical device that can pass packets between a legacy network (like an Ethernet network) and an ATM network, using data link layer and network layer information. An edge device does not have responsibility for gathering network routing information. It simply uses the routing information it finds in the network layer using the route distribution protocol. An edge router is an example of an edge device.

Edge devices and BYOD make it difficult to identify insider fraud

58% agree that BYOD makes it more difficult for the security or compliance department to have complete visibility of employees’ access and computing activities. The majority of respondents (78%) do not agree that employees’ access and possible misuse of edge devices is completely visible to the security or compliance department (100% – 32% of strongly agree/agree responses).

The study defined insider fraud as the malicious or criminal attacks perpetrated upon business or governmental organizations by employees, temporary employees and contractors. Typically, the objective of such attacks is the theft of financial or information assets, which include customer data, trade secrets and intellectual properties. Sometimes, the most dangerous insiders are those who possess strong IT skills or have access to an organization’s critical applications and data.

With this research, we want to reiterate that organizations are not immune,” said Meyers. “The threat of insider fraud is a growing risk that can result in tangible financial loss to businesses. And the longer an organization takes to address it, the more costly it can become

The insider fraud survey includes results from more than 700 individuals at leading global organisations.

 

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Start Sweating the Small Stuff

February 27, 2013

In his recent New York Times article, “That Daily Shower Can Be a Killer,” renowned geographer Jared Diamond observes how Americans tend to greatly exaggerate risks that are sensational and beyond our control—like plane crashes and nuclear radiation—yet underestimate the mundane, but more common risks that we can control—like slipping in the shower or falling from a ladder.

In my geek-centric mind, I immediately drew a corollary to computer security.   We’ve all met the engineer who will spend weeks obsessing over which password hashing algorithm to use, but fail to implement a solid password policy.

If you find yourself being hyper-paranoid about dangerous, but implausible attacks…stop!  Do a quick risk/frequency gut-check to determine whether you’re wasting time.  You shouldn’t be debating the strength of SHA-256 while your employees are emailing trade secrets to a Nigerian Prince.

XKCD: Security

What are some of the fall-in-the-shower type risks when it comes to data protection?  Our State of Data Protection Report from last year highlights a few:

  • Only 26% of companies are very confident their data is protected
  • 18% weren’t confident at all
  • 23% of companies were not confident or unsure where their critical business data resides
  • 27% of companies did not monitor any access activity on file servers and SharePoint sites
  • 13% of companies never revoke access to data when an employee leaves the organization
  • 61% do not scan their environment for sensitive data

Based on our results, there’s clearly a lot of room to tighten up these fundamental areas of day-to-day risk.  Just as Mr. Diamond’s goal is to reduce life’s common accidents to 1 in 1,000, we should strive to minimize common data security risks, like insider theft, by implementing soundsecurity programs.

Want to learn more about risk analysis?

Here are some good resources:

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Cybersecurity Now Top of Mind Around the World and Network Security is Taking Center Stage

February 26, 2013

It’s no surprise that in the wake of the rapid increase in cyber attacks, governments around the world are moving towards strengthening their cyber security, and even taking steps to mandate better collaboration on security issues between the private and public sectors. Here is a sample of the most recent initiatives:

  • US – Feb-2013: Obama Orders Cybersecurity Standards for Infrastructure
  • European Union – Feb-2013: EU Unveils New Cybersecurity Policy
  • Italy – Jan-2013: Italian Government Approves Cybersecurity Measures to beef up strengthen online security and protect critical infrastructure from increasing cyber assaults
  • India – Jan-2013: India Developing National Cybersecurity Architecture. India is in the midst of developing a national cybersecurity architecture aimed at preventing sabotage and espionage of its core IT systems and networks
  • Australia – Jan-2013: Australia toughens stance on cybersecurity
  • Russia – Jan-2013: The Russian Federal Security Service gets empowered to create a state system for the detection, prevention and liquidation of the effects of computer attacks on the information resources of the Russian Federation

There are important common factors in all the above:

First, a global appeal for stronger collaboration between the public and private sectors to share intelligence on cyber attacks. Under existing EU rules, telecommunication companies are already required to report significant security incidents. Wade Williamson, one of our in-house experts on cyber threats recently wrote in this blog about “Combating Emerging Threats Through Security Collaboration”

Secondly, a shared understanding that the global economy is highly dependent on critical infrastructure that might not be as secure as initially thought. For example, the U.S. executive order specifically mentions power grids, pipelines and water systems.

Finally, full awareness that much of the critical infrastructure supporting a thriving, modern economy relies on a set of interconnected networks and systems that must be closely monitored and protected. The proposed European directive calls out the need for resilient, safe, and stable networks and systems.

One takeaway for our customers is that network security is being more systematically called out in cybersecurity discussions worldwide and is even taking center stage. Some analysts have commented that network security will remain the largest cybersecurity submarket for the next 10 years.

Why? Even as SaaS applications, social networking, mobile devices, or cloud-based computing become mainstream and push the limit of the traditional enterprise perimeter, the network and the firewalls remain the one place where organizations in both the public and private sectors can see all traffic and actually enforce security policy.

via cybersecurity, cyber security, network securityPalo Alto Networks Blog.

Thanks to http://www.thethreatvector.wordpress.com

1 Comment | Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , , | Permalink
Posted by david ricketts

Obama has become the first cyber-war president.

February 13, 2013

U.S. Cyber Command (CYBERCOM), the military command responsible for the bulk of America’s defensive and offensive cyberwar efforts, is receiving a 500% manpower increase. Between 2014 and 2016, the Pentagon expects to add thousands of new billets–the exact number is still unknown–to the 900 service members currently assigned to CYBERCOM. CYBERCOM is tasked with a staggering array of tasks designed to secure America’s online infrastructure; this ranges in real life from detecting and patching security holes in critical infrastructure such as banking and utilities to creating new network defenses for the military’s sprawling computer systems.

Some really interesting videos that look at the issues that not only the US but we all face in the future. The significant increase in the amount of manpower being recruited by the US military to address cyber crime highlights how serious they are taking the threat. However, it is important for all companies to look at cyber crime, anti-virus and anti-spam solutions do not protect you from all cyber crime and now is the time to examine what can be achieved with limited budgets.

Thanks to fastcompany.com for the videos

1 Comment | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

Determining the Root Cause of a Data Breach With “The 5 Whys”

February 5, 2013

The jarring sound of an iPhone vibrating against a mahogany nightstand at 3:15am.  This can’t be good.  Server down?  Much worse: 50,000 sensitive files have been stolen from a poorly permissioned file server.  First, damage control.  Next, investigation.

Problem: 50,000 files were stolen.

Why?  The files were accessible to everyone in the company, even guests.

Why?  The folder’s access control list was configured incorrectly.

Why?  Chuck the intern configured that file server in 2007 and it hasn’t been reviewed since.

Why?  We don’t have a process to review file system permissions.

Why?  Because manually reviewing every folder’s ACL for problems is like searching for a needle in a haystack…and THERE’S ONLY THREE OF US AND A THOUSAND FILE SERVERS! SHEESH!

This fun little question-asking technique is called The 5 Whys.  It was developed by Sakichi Toyoda at Toyota to determine the root cause—and solution—to any given problem in the manufacturing process.  The technique has been borrowed by coders, sysadmins, and startup founders alike.

See, behind every technical problem is usually a human problem.

On the surface, it seems like the above fictional security incident was technical in nature – the ACL was configured incorrectly.  Deep down, however, the problem was the company’s non-existent entitlement review policy.

The 5 Whys technique encourages us to address the problem on multiple levels: fix the ACL, stop letting interns configure important systems by themselves, and institute a system for performing periodic entitlement reviews.

Sometimes it’s not feasible to immediately address every single problem uncovered, but 5 Whys suggests that if you make a proportional investment in the solution every time an incident occurs, you’ll eventually get to a point where you have an optimal level of protection against a given problem.  In our example, maybe you’d start by piloting entitlement reviews with a small business unit, or review just the super sensitive data sets.

The 5 Whys is an excellent technique for determining root cause so you can take reactive steps to ensure a problem doesn’t happen twice.  In my next post I’m going to talk about a new model for holistically evaluating your company’s risk profile so you can make proactive improvements.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , , , , | Permalink
Posted by david ricketts

Is DNA Really Personally Identifiable Information (PII)? No. Maybe? Yes!

February 5, 2013

Biometric data is at the limits of what current personal data privacy laws consider worthy of protection. This type of identifier covers fingerprints, voiceprints, and facial images. While the risk factors are not nearly as threatening to consumers as more traditional PII, they do exist. Until recently, the dangers of biometric identification using DNA were more theoretical than real. That has suddenly changed. An article in The New York Times last month put a spotlight on research that proved the feasibility of identifying a person—getting a specific name and address—all from a DNA sequence posted online.

It’s not that regulators have overlooked biometric identifiers. Under HIPAA’s safe harbor rules, for example, the Department of Health and Human Services has a list of 18 e-PHIs that would need to be removed from public medical data for it to be effectively considered de-identified. Along with IP addresses, URLs, email addresses, HHS mentions biometric data, with voiceprints and fingerprints given as the only examples.

I’ve already written about how the Federal Trade Commission, another key US agency involved in data privacy regulation, has issued new guidelines to companies collecting facial images. Driving the FTC’s suggestions—mostly directed at retailers—are the recent improvements in image recognition technology and the availability of massive amounts of tagged photos on social media sites. Image matching software is now good enough so that a face captured by a store’s mall kiosk can eventually reveal ethnicity, mood, and with good likelihood, an actual name behind the face.

The risk of linking a name to a set of fingerprints is less serious for the general public— unless you have a criminal record. However, after the Graduate Management Admission Council  (GMAC) began using fingerprints to establish the identity of students taking their “GMATs” for admission to US business schools, the testing company realized there could be privacy issues.

GMAC ultimately decided to use palm scans, which are based on digitizing vein patterns. Since public databases of hand veins don’t exist, the possibility of identification is eliminated.

I would have put DNA into the same category as palm scans: there’s advanced matching technology—available even at the consumer level—but without a public database, there isn’t much of a privacy issue, and therefore DNA is not really a PII.

However, this is not true anymore, and that was the starting point for the researchers mentioned in the Times article. There are actually two public genealogy databases for tracking down one’s ancestry, Ysearch and SMGF, with a combined 135,000 records of DNA data and covering about 39,000 unique last names.

These genealogy databases simply accept a key—actually a pattern on the Y-chromosome—and then return a surname (along with a confidence level). The idea behind these services is to help subscribers find their ancestors and learn more about family backgrounds.

The researchers then examined whether they could narrow down their search. They assumed that they had the state of residency of the subject along with a birthdate—both of these, by the way, are not considered PII under current HIPAA rules. With these three data points and public US Census data, they were able to prove that successful DNA matches would lead to just 12 people on average. That’s a stunning end result from starting with just a DNA pattern.

How good is the DNA “keyword” match at finding a last name? The researchers projected a success rate of 12% for males—since it’s based on the Y chromosome—with a 5% false positive. This is not nearly as accurate as the facial scans, but still a cause for concern. They concluded that the risk of this DNA-based last name search will grow in the future, and there are other scientists and experts who are calling for more public discussion.

I decided to check the privacy policy of one of the DNA testing services. Here’s the good news. They’ll only release your DNA data to third parties with your consent; they treat genetic data as personal data (like name and address), and they say that the genetic data is stored on “secure servers”.

However, thinking purely in term of bytes, folders, and access rights, I’m wondering how truly secure those DNA files are, and whether there are already hackers looking to get that data using the same techniques and exploits they use to snatch credit card numbers and other personally identifiable information.

Leave a Comment » | Application Hosting, Managed Service Hosting | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

« Previous Entries
Follow

Get every new post delivered to your Inbox.

Join 754 other followers