Tuesday, 05 November 2013 09:26
The data breach at Adobe Systems Inc. is turning out to be worse than previously reported. Back in early October, Adobe announced that approximately 3 million accounts were compromised, and that these “sophisticated” attacks accessed customer IDs, encrypted passwords, and other personally identifiable information. Additionally, Adobe announced that source code from multiple products had been stolen, including Adobe Photoshop, the widely popular tool for photographers. Fast forward a couple of weeks and the actual amount of compromised accounts is more than 13 times the original 3 million. That’s over 38 million Adobe accounts.
To the casual reader it would appear that since the passwords were encrypted, everything would be fine. But unfortunately, that is not the case. According to Marcus Carey, a former investigator with the National Security Agency, the Adobe attackers may have been able to access them in plain text by one of several methods, including breaking the algorithm that Adobe used to scramble them. (From http://www.reuters.com/article/2013/10/29/us-adobe-cyberattack-idUSBRE99S1DJ20131029)
And since many people use the same password for multiple accounts, including accessing their workstation via Active Directory, you need to wonder “is the rest of my (and my organization’s) sensitive information safe?”
As we wait for Adobe to complete their investigation on this data breach, hopefully other organizations take note of this event. Regardless, STEALTHbits is here and ready to answer your questions on how to discover and govern access to your organization’s most critical digital assets. Contact Us today!
Remember, remember the 5th of November! If you’re a fan of the film “V for Vendetta” or just happened to know a thing or two about history, this phrase likely popped into your head as you looked at the calendar this morning, realizing that today marks the yearly occasion known as Guy Fawkes Day. For those of you that don’t know, this holiday came to be in early England, where a man named Guy Fawkes was arrested on November 5th while taking guard over a pile of explosives that had been planted under the House of the Lords, so foiling the Great Gunpowder Plot of 1605. The English have celebrated Fawkes’ ineptitude to blow up Parliament ever since.
Now, if you’re an American (or from any country other than England for that matter), this may not seem incredibly interesting or relevant to you. What should be, however, is the organization that uses the iconic image of the Guy Fawkes mask as its mascot, Anonymous.
Although regarded by people in many different ways, from digital Robin Hoods to cyber-terrorists, Anonymous has always made one thing clear – they will exploit your organization’s security weaknesses if they have any sort of gripe against you. Events they have been responsible for in the past involve many different things - from executing a WikiLeaks revenge plot by bringing down the PayPal website, to releasing the personal information of multiple Westboro Baptist Church members to be seen by the public. Whatever the plot, they have proven their ability time and time again to virtually bring any organization to its knees, almost at will.
This year, they have threatened The social media powerhouse known as Facebook – specifically Zynga – due to recent layoffs the company has announced. The event, whatever it may be, is slated to occur sometime today. Not to sound too corny, but this, of course, begs the proverbial question: Will Anonymous be successful with their attack? Or will history repeat itself, with Facebook shutting down their plot, just as the London police did with Guy Fawkes himself 408 years ago?
Although what will actually happen this afternoon still remains to be seen, we at STEALTHbits believe this is as good a time as any to draw attention to the importance of cyber security within your company. Although a super hacker group like Anonymous might not be targeting your organization, there are always threats to your sensitive information and data, both internal and external. Steps must be taken to secure your networks and protect against attacks with extra technology being implemented to ensure the safety of your most critical IT components.
STEALTHbits specializes in this exact thing. Check out some of our sensitive data solutions and prevent yourself from becoming the next victim in a future cyber-attack.
October 14, 2013, Hawthorne, NJ - One of the many undeniable facts of the 21st century is that we live in a time of ever expanding globalization. People everywhere are connected. Events that occur at opposite ends of the earth can make ripples in various places across the entire world. So, when a document from the “Commission de Surveillance du Secteur Financier” in Luxembourg entitled, “Circular CSSF 13/554” (CSSF for short) came across our desks earlier last week, we dove right into it. Finding the translation of the legal jargon in the memo a tedious task, we decided that we would like to help make some sense of it all with a nice, easy-to-read overview. So, whether you’re someone with an affinity for financial compliance standards in other countries or a member of a Luxembourg institution itself (Bonjour!) read on for some CSSF knowledge.
From the start of the document, the message that the CSSF is trying to display to the various financial organizations in Luxembourg is very clear- “Professionals of the financial sector must always have full control over the resources under their responsibility and the corresponding access to these resources, primarily for compliance and governance reasons and secondly in order to protect confidential data subject to professional secrecy.” Simple enough. Now, reading the various requirements listed that are required in order to adhere to that goal is where my eyes began to glaze over. Split up below into bullet points are some of the most important requirements for compliance along with their corresponding sections, simplified. For reference, the original document can be found here.
Phrases To Know:
An access tools policy written in a way that is easy to understand by people who are not IT specialists. It must be approved by the management of the financial institution.
The technical implementation of the “Approved AT Policy” on access tools systems.
The digital copy of the “Approved AT Policy” located within the tool used to perform the preventative controls. It is the baseline used to compare an AT policy change request to the “Approved AT Policy” and decide whether to authorize or implement said change.
“Annex: Technical note – Evolution of the usage and control of the resource access tools”
“Considerations on preventive versus corrective controls/usage of specific tools”
“Conditions for preventative control effectiveness”
“Use of corrective controls as contingency solutions”
“Particular Case of Policy Import”
Although brief, this summary gives a good overview as to what financial companies are up against in Luxembourg. Hopefully you were able to stick with it to the end as it is very important for companies located in Luxembourg to adhere to these provisions as quickly as possible (The original circular was distributed on January 7th, active immediately).
That said, you’re probably scratching your head wondering where you can find a company/product to work with that will help you satisfy all of these complicated compliance requirements. Look no further!
Give us a call or send an email
Friday, 27 September 2013 16:23
September 27, 2013, Hawthorne, NJ -Although the HIPAA Omnibus rule was implemented on March 26th, 2013, businesses everywhere were given roughly 6 months to comply with the new standards. Fast forward 180 days and as it would appear the deadline has passed four days ago, on September 23rd. This means that if you are the member of a company or business in the healthcare industry (or have direct relation to it), and are somehow hearing about this for the first time through me (you’re welcome), it’s probably time to become compliant. Otherwise, you may begin to see heavy fines coming your way in the not-so-distant future. Now, I realize perfectly well that real-life implementation of the various new sets of regulations and standards outlined in the table-breaking 563 page document that the Department of Health and Human Services put out can be a daunting task. So, to help begin with the understanding process if you’re an Omnibus Newbie, or to reinforce what you may already know if you’re a HIPPA buff/enthusiast, I have briefly listed below what I believe to be three important changes:
1. Business Associates Must Also Be HIPAA Compliant
They say that it takes two to tango. Although this phrase only somewhat bears relevance to the matter at hand, it represents the fact that the government now expects healthcare providers to work with other companies to help safeguard data. Under the Omnibus rule, these other outside “storage companies” or “business associates” are also required to be HIPAA compliant. Now, “What defines a company as a business associate?” you may ask. Well, according to the official document, a business associate is defined as one who, “creates, receives, maintains, or transmits protected health information on behalf of a covered entity.” So, it’s very important to make sure the company that houses your documents, whether they be digital or tangible, is also up to code. Having your classified patient files show up on an episode of “Storage Wars” would probably be a very bad thing for business.
2. Changes to the HIPAA Privacy Rule
Although there are numerous changes to the privacy rule (way too many to talk about here while trying to maintain your interest) there were a few that caught my eye. Omnibus has taken the liberty to add some specifications as to when authorization is required from a patient for disclosure of information and when said authorization is not required. Most all disclosures of psychotherapy notes, information for marketing purposes, and sale of protected information require the thumbs up from the patient. Although I won’t list them all, some of the notable exceptions to the authorization rule include, “sale, transfer, merger or consolidation of all or part of a covered entity,” and always being able to provide, “an individual with access to his/her Protected Health Information.” In addition, our deceased loved ones now have HIPAA protection for up to 50 years after their death and we, as family members, will always be able to have access to their medical information.
3. A Tiered Structure For Handing Out Fines
To take away from the ambiguity of the old system and add peace of mind to the companies that fail to comply as to what they will likely be paying to good old Uncle Sam if caught; a new, tiered fine system has been implemented. Starting off, a company or business that fails to comply with HIPAA rules could be the subject of minimum penalties of $100 per violation. This number could jump as high as $25,000 for identical violations that occur during a calendar year. Privacy breaches can be the victim of a penalty of up to $1.5 million.
Obviously this is a very brief overview of select parts taken from the HIPAA Omnibus Rule. If you would like to find out some more information, I encourage you to read the official document which can be found here. If you’re still looking to become compliant or will be doing so in the future, luckily we can help! Click here to learn about STEALTHbits Technologies’ suite of Security and Compliance solutions.
If you are interested in learning more about HIPAA Compliance and how our solutions can help, please sign up for our free, live webinar, “Discovering and Protecting Sensitive PHI” on October 24th from 1:30-2:30 EST. We look forward to seeing you there.
This is a follow-up on a previous blog post of mine. In my first post on Export Control Compliance I tried to explain what the ITAR is and why it’s important for defense contractors, manufactures and suppliers.
Knowing or learning about it is great, but what we have learned from conversations with current customers is that discovering high-risk, sensitive USML related content is something that many organizations in the defense industry have struggled with in the past.
Traditional enterprise-class DLP and data discovery solutions are very complex to start and effectively use, and are usually not flexible enough for large, complex IT infrastructures. And to make matters worse, they are not cost-friendly on IT budgets.
The first step in maintaining compliance with ITAR is discovering where the USML related content exists. Next, you have to protect that sensitive data. Failure to comply with ITAR can result in hefty fines and penalties, and in some cases imprisonment.
StealthSEEK offers a simple-to-deploy, easy-to-use DLP and sensitive data discovery tool for identifying articles and services, outlined in the United States Munitions List (USML), across your file systems, enabling compliance for the Defense Industry.
In addition to the already 450+ file types that StealthSEEK scans for and the custom criteria ability feature, we’ve added content scanning criteria, specific for ITAR compliance.
I was asked the other day by a colleague: “What is ITAR (International Traffic in Arms Regulations) and why is it important?” So my research commenced. My findings, plentiful to say the least, was that ITAR, along with the Export Administration Regulations (EAR), are two of the most important United States Government export control laws.
From the United States Department of State website, ITAR is a set of regulations responsible for the control of the permanent and temporary export and temporary import of defense articles and services. It is ruled by the Department of State and it implements the authority of the Arms Export Control Act (AECA), an act that provides the authority to control the export of defense articles and services, and charges the President to exercise this authority.
The list of defense articles and services that are pursuant to AECA are found on the United States Munitions List (USML). The list contains 20 categories ranging from Firearms, Close Assault Weapons and Combat Shotguns to Spacecraft Systems and Associated Equipment. All-in-all there are twenty categories, and a miscellaneous section, of the USML.
So we’ve got the what, but what about the why? Why are export control laws like ITAR important to understand and comply with? Well, the short answer is because there are penalties and fines for those companies that violate ITAR. According to the International Import-Export Institute at Dunlop-Stone University, the U.S. Government requires all manufacturers, exporters, and brokers of defense articles, defense services or related technical data to be ITAR compliant. There are too many instances of major corporations failing to comply with ITAR, or flat out violating the regulations.
Don’t get slapped with the tag of “not compliant.” Learn how STEALTHbits Technologies enables Export Control Compliance through StealthSEEK™.
For more information on the ITAR, check out Discovering ITAR Related Content.
Wednesday, 09 January 2013 12:00
While researching data breach incidences within Universities and places of higher education, I stumbled upon the Privacy Rights Clearinghouse; an organization dedicated to consumer privacy and “raising awareness of how technology affects personal privacy”. According to the Privacy Rights Clearinghouse (www.privacyrights.org/data-breach/new), over 3,500 data breaches have been made public in US universities and educational institutions alone since 2005; equating to over 600,000,000 compromised records.
But why universities? Are hackers and data thieves targeting the science department’s proprietary research? Well, maybe sometimes, but in almost all instances, they’re stealing the same type of data; Student and Faculty Social Security Numbers, Birth Dates, Addresses, Bank Account Numbers, and other personally identifiable information (PII) that cost the universities, their staff, their students, and even their student’s families monetary loss, emotional stress, and daily disruptions.
The good news is that there are solutions like enterprise Data Loss Prevention (DLP) products designed to help mitigate these types of events. That said, however, the vast majority of the currently available products designed to thwart attacks on sensitive data are incredibility expensive, costly and difficult to implement and maintain, and are rarely found inside the walls of our educational institutions as a result.
The cost prohibitive nature of enterprise class DLP solutions coupled with the historically limited IT budgets and high administrative turnover found in educational institutions have made places of higher education a target for easy access to some of the most sensitive data that exists within any organization.
So What Can Educational Institutions Do To Protect Themselves Against Data Breach Without Breaking The Bank?
Our contention is that many of the data breach events that have occurred in recent times could have been prevented through simple, proactive identification of where data exists, who has access to data, and what type of data exists within the file systems of networked computers – workstations, laptops, and servers – otherwise known as “data-at-rest”. Had the universities that have been victim to data breach events known that sensitive, private student and faculty data existed and was unprotected, it’s a pretty safe assumption to say they wouldn't have allowed it to remain in such a state. The fact of the matter is that they simply don’t know what they don’t know.
A less costly and more pragmatic approach for universities (or any organization with limited funds and resources to prevent data breach events) is to proactively identify where their risk is, consolidate their sensitive data, and lock it down tightly.
A great place to start is to locate file shares that are open to large audiences. These data repositories are notoriously difficult to control due to the number of people performing file transactions, the lack of assigned ownership and governance over the data that exists there, and the complicated weave of access rights that are just as difficult to understand as they are to assign.
After the areas of highest risk are identified, point-and-shoot, low-cost sensitive data identification solutions like StealthSEEK can begin to search for Social Security Numbers, Credit Cards, Bank Accounts, Health Records, and other sensitive and proprietary pieces of data that are buried deep within the files themselves.
As a last step, all documents containing sensitive data can be reviewed, consolidated, and locked down, limiting the number of people who have access to the most sensitive information and also who knows where that data lives.
Endpoint and Data-in-Motion DLP solutions are no doubt valuable assets for organizations that can afford them, but the true “blocking and tackling” of data loss prevention is knowing where sensitive data is and who has access to it, especially for the data that already exists within the environment.
I'm frequently asked why I think StealthAUDIT provides a better alternative to some other product on the market. The answer often comes down to the same core differentiators:
SMP takes a very different approach to other solutions on the market. While other products attempt to anticipate what reports you might need and package only those into a product set, the StealthAUDIT platform enables a flexible approach to answer virtually ANY question you have today or in the future.
The SMP includes hundreds of out-of-the-box reports based on a decade of experience working with organizations of all sizes. And it includes browse-able interfaces such as the Access Information Center (AIC) which provide easy answers to the top questions of Who has access and How they got access. But it’s also extremely extensible so you can accommodate custom reporting and analysis scenarios such as correlating data across multiple systems and identifying anomalies that exist outside of your unique security policies.
No other solution on the market can match the SMPs scalability and performance across large scale environments. Our 30+ data collectors enable the use of best-fit technology which is usually agentless while at the same time extremely efficient. Recent improvements that enable scheduling "run windows" and improved performance of our Active Directory data collection further separate SMP from the pack in terms of scalable, efficient data collection.
Thursday, 27 September 2012 13:43
This is reposted from an earlier post but seems as relevant as ever. If you're thinking about monitoring Active Directory events, you'll no doubt consider what's involved in leveraging native event logging and how that relates to tools that are designed for AD event monitoring. In that context, below, we describe a few of the steps involved in setting up native event logging for Active Directory.
First, you need to understand which events you need to keep track of, and the associated event IDs. Complicating this task is that the event ID numbering is different between versions of Windows. For example, in Server 2008, four digit event IDs are introduced along with audit subcategories on the main audit categories. There are many events that look similar to each other, so you really need to know what you're looking at, and often a single act will generate numerous events in the log.
The subcategories can be useful because you can enable auditing on some events but not others, which is a step in the right direction for Microsoft auditing, albeit a baby step. For example, instead of treating all Account Management events the same, you can enable audit on Security group management but disable audit on Distribution group management. You have to use a command line tool to apply audit settings via subcategories and you don't get advanced filtering such as the ability to alert on changes to high-risk groups (something STEALTHbits can easily do), but it's better than the Server 2003 capabilities.
Complicating matters further is that there are Account Management audit events and Directory Service Access audit events which overlap. So, if both are enabled, you may see even more duplicate events with some confusion about where to find the best event data. And "before" and "after" values are written to different events. So, in some cases, you'll need to correlate multiple events in order to get the answers you seek.
Once you have the set of events that you want enabled, you also have to enable auditing on the objects themselves. In other words, if you enable auditing on security groups, you still need to ensure that auditing is enabled on those security groups. Typically, enabling audit on directory objects is as simple as enabling "Audit Account Management" in the appropriate GPO but keep in mind that audit settings differ slightly in various versions of Windows, so if you have a mixed environment, be sure to consult each versions' documentation for appropriate audit settings. And be sure that the GPO is configured appropriately on each Active Directory Domain Controller.
Additionally, you can utilize ADSIEdit to apply a "don't audit" flag on attributes that you'd like to have filtered out of auditing. Note that this removes ALL auditing of that attribute for ALL objects. You cannot distinguish, for example, between administrative user accounts and other accounts (again, something that's easy for STEALTHbits).
The third step is to configure log settings. You need to set appropriate access permissions so that advanced users looking to cover their tracks cannot clear logs which may hold vital evidence. If the log security policy is not enabled, all authenticated users would have access to write & clear application logs. System and Security logs can be cleared by system software or administrators. You also need to set maximum log size and retention rules. These settings enable you to control how large the log files will grow and what happens when they reach their maximum. This is critical because logs need to be efficiently handled by log collection systems.
There's no ON switch for Windows auditing. There's a number of steps and methods by which to implement auditing. There is even a TechNet article on the complexity of determining the effective audit policy in Windows 2008. The author makes the point that "you should not trust any of the Group Policy reporting tools when it comes to audit settings." If you love Windows event logs and have a complete mastery of how they work (you know who you are), that's great. If not, I would think twice before making a decision to rely on Windows event logging. I certainly wouldn't go down that path with the expectation that it's the easy way. It's clearly not.
It’s no secret that over the past decade, Active Directory has grown out of control across many organizations. It’s partly due to organizational mergers or disparate Active Directory domains that sprouted up over time, but you may find yourself looking at dozens or even hundreds of Active Directory domains and realize that it's time to consolidate. And it probably feels overpowering. But despite the effort in front of you, there’s an easy way and a right way.
Domain consolidation is not a simple task. Whether you're moving from one platform to another, trying to implement a new security model, or just consolidating domains for improved management and reduced cost, there are numerous steps, lots of unknowns and an overwhelming feeling that you might be missing something. Sound familiar?
According to Gartner analyst Andrew Walls, “The allure of a single AD forest with a simple domain design is not fool’s gold. There are real benefits to be found in a consolidated AD environment. A shared AD infrastructure enables user mobility, common user provisioning processes, consolidated reporting, unified management of machines, etc.”
Walls goes on to discuss the politics, cost justification, and complexity of these projects noting that “An AD consolidation has to unite and rationalize the ID formats, password policy objects, user groups, group policy objects, schema designs and application integration methods that have grown and spread through all of the existing AD environments. At times, this can feel like spring cleaning at the Aegean stables. Of course, if you miss something, users will not be able to log in, or find their file shares, or access applications. No pressure.”
Walls offers advice on how to avoid some of the pain. “You fight proliferation of AD at every turn and realize that consolidation is not a onetime event. The optimal design for AD is a single domain within a single forest. Any deviation from this approach should be justified on the basis of operational requirements that a unified model cannot possibly support.”
What does this mean for you? Well, the most significant take-away from Walls’ advise is that it’s not a onetime event. AD Unification is an ongoing effort. You don’t simply move objects from point-A to point-B and then pack it in for the day. The easy way fails to meet the core objectives of the following
If take everything from three source domains and simply move it all to a target domain, you haven’t achieved any of the objectives other than now having a single Active Directory. There’s a good chance that your security model will remain fragmented, management will become more difficult, and your user provisioning processes will require additional logic to accommodate for the new mess. On a positive note, if this model is your intent, there are numerous solutions on the market that will help.
STEALTHbits, of course, embraces the right way. “Control through Visibility” is about improving your security posture and your ability to manage IT by increasing your visibility into the critical infrastructure.
Offering a multi-step strategy toward a CLEAN domain consolidation, STEALTHbits’ Active Directory Unification solutions assess which objects should or shouldn’t be consolidated, how the source environments map to the target environment (especially in terms of the security model), and automate the transformation in a way that eliminates the need for SID history, doesn’t break user access, and improves manageability. This applies primarily to servers, GPOs, AD schema, naming conventions, and security groups. (User accounts and workstations can generally be moved as-is once the appropriate group memberships and GPO policies have been evaluated.)
STEALTHbits’ Active Directory Unification doesn't eliminate the need for some form of migration tool to do the Point-A to Point-B moves, but it provides an invaluable ability to streamline what gets moved and how those objects are transformed to meet the target domain security model and related requirements. Throughout the process and moving into the future, the solution identifies and eliminates high-risk and toxic conditions across the Active Directory environments and can evaluate needs and suggest improvements over time – such as security group permission changes or new security groups that enforce a least privilege model or eliminate Segregation of Duties issues based on actual activity in the environment. These intelligence features simply aren't available in migration tools. This type of analysis requires an enterprise class data collection and analysis platform such as the StealthAUDIT Management Platform (SMP).
Please let us know if you’d like more information on how the STEALTHbits’ Active Directory Unification can help with your Active Directory consolidation effort.