All posts by Cindy Ng

[Podcast] Are Users and Third-Party Vendors Frenemies?

[Podcast] Are Users and Third-Party Vendors Frenemies?

Leave a review for our podcast & we'll send you a pack of infosec cards.

In the midst of our nationwide debate on social media companies limiting third party apps’ access to user data, let’s not forget that companies have been publicly declaring who collects our data and what they do with it. Why? These companies have been preparing for GDPR, the new EU General Data Protection Regulation as it will go into effect on May 25th.

This new EU law is a way to give consumers certain rights over their data while also placing security obligations on companies holding their data.

In this episode of our podcast, we’ve found that GDPR-inspired disclosures, such as Paypal’s, leave us with more questions than answers.

But, as we’ve discussed in our last episode, details matter.

Other articles discussed:

Tool of the Week: S3tk

Panelists: Kilian Englert, Mike Buckbee, Matt Radolec

[White paper] 3 Ways Varonis Enhances Data Loss Prevention

[White paper] 3 Ways Varonis Enhances Data Loss Prevention

Those who have tried data loss prevention (DLP) to limit the loss of intellectual property, healthcare data, financial data, and personally identifiable information typically don’t move beyond the beginning stages of discovering and monitoring data flows.

In a recent DLP poll, Gartner analyst Anton Chuvakin found that two-thirds of poll participants were skeptical, believing that DLP “just cannot work”, “sort of, but too inefficient”, or “works only against unsophisticated threats”.

What could be the problem? Lack of actionable intelligence is one reason. After implementing DLP, an admin could have tens of thousands of “alerts” about sensitive files. Where do you begin? How do you prioritize?

That’s not the only reason.

To understand why DLP is not enough, you’ll want to read our white paper. We also highlight why context is a key factor in enterprise data security and share three ways you can enhance DLP with Varonis.


[Podcast] Details Matter in Breaches and in Business

[Podcast] Details Matter in Breaches and in Business

Leave a review for our podcast & we'll send you a pack of infosec cards.

With one sensational data breach headline after another, we decided to take on the details behind the story because a concentrated focus on the headline tends to reveal only a partial dimension of the truth.

For instance, when a bank’s sensitive data is compromised, it depends on how as well as the what. Security practitioner Mike Buckbee said, “It’s very different if your central data storage was taken versus a Dropbox where you let 3rd party vendors upload spreadsheets.”

We’re also living in a very different time when everything we do in our personal lives can potentially end up on the internet. However, thanks to the EU’s “right to be forgotten” law, the public made 2.4 million Google takedown requests. Striking the perfect balance will be difficult. How will the world choose between an organization’s goals (to provide access to the world’s information) versus an individual’s right to be forgotten?

And when organizations want to confidently make business decisions based on data-driven metrics, trusting data is critical to making the right decision. Our discussion also reminded me what our favorite statistician Kaiser Fung said in a recent interview, “Investigate the process behind a numerical finding.”

Other articles discussed:

Tool of the week: Bettercap

Panelists: Kilian Englert, Forrest Temple, Mike Buckbee

[Podcast] Innovate First, Deliver PSAs Later

[Podcast] Innovate First, Deliver PSAs Later

Leave a review for our podcast & we'll send you a pack of infosec cards.

Today even if we create a very useful language, IoT device, or software, at some point, we have to go back to fix the security or send out PSAs.

Troy Hunt, known for his consumer advocacy work on breaches, understands this very well. He recently delivered a very practical PSA: Don’t tell people to turn off Windows update, just don’t.

We also delivered a few PSAs of our own: cybercriminals view our Linkedin profiles to deliver more targeted phish emails, whether we’d prefer to deal with ransomware or cryptomalware, and the six laws of technology everyone should know.

Tool of the week: MSDAT

Panelists: Forrest Temple, Kilian Englert, Mike Buckbee

[Podcast] Security Alert Woes

[Podcast] Security Alert Woes

Leave a review for our podcast & we'll send you a pack of infosec cards.

IT pros could use a little break from security alerts. They get a lot of alerts. All. The. Time.

While alerts are important, a barrage of them can potentially be a liability. It can cause miscommunication, creating over reactivity. Conversely, alerts can turn into white noise, resulting in apathy. Hence the adage: if everything is important, nothing is. Instead, should we be proactive about our security risks rather than reactive?

Articles discussed:

  • Heatmap reveals secret military bases
  • ICE gets access to license plate numbers
  • Does it matter if you put your password on a post-it?

Panelists: Kilian Englert, Forrest Temple, Kris Keyser

The Difference Between IAM’s User Provisioning and Data Access Management

The Difference Between IAM’s User Provisioning and Data Access Management

Identity and access management (IAM)’s user provisioning and data security’s data access management both manage access. But provisioning is not a substitute, nor is it a replacement for data access management. The nuances between the two are enough to put the two in distinct categories. Both are important and knowing the difference between the two will help you figure out the right tool for the job.

What is User Provisioning?

User provisioning is the creation and management of access to the organization’s resources. Access can range from IT accounts (CRM, Salesforce, email etc) to non-IT equipment and resources such as an access badge, phone, car, etc.

IT administrators who are responsible for provisioning access know that when manually provisioning access, it can be tedious, complicated and even if you have a checklist, the risk for making mistakes are quite high.

Of course there’s always an option to leverage directory services to automate the provisioning workflow. And the process of maintaining those access rights continue as people’s responsibilities continue to evolve and when they leave the organization.

IAM systems further automate this process.  To streamline provisioning, organizations create templates – called “roles” – that package together and assign specific values to accounts.  For example, any full-time employee on the Finance team will receive the same types of access – an email account, authorization to the parking area, and access to the billing and payment systems.  Later in her career, the Finance user might change jobs, and join the legal team.  IAM will facilitate that role change – Since the user is still an employee, she will retain her email and parking access, but the system will revoked rights to the billing and payment systems, and then grant access to the eDiscovery and records management tool.

So far, there’s no reason to believe that you can’t provision access to data in the same way: make access available to users who need it and manage as needed.

So What’s the Problem?

Organizations with IAM solutions often assume that existing security groups and roles align with the underlying data structures that contain an organization’s data. Unfortunately, even though users might be in correct groups, they inevitability end up with far more access to data than is necessary or relevant to their jobs.

Sure, IAM solutions have complete lists of users and groups from directory services. However, one of the biggest challenges is mapping these users and groups to access control lists (ACLs) which control access to the data itself.

What’s more, IAM doesn’t identify which users are accessing which files and more importantly, it doesn’t identify which folders and files contain sensitive data.

How Data Access Really Works

ACLs control access to data.

What this means is that if a file object has an ACL that contains (Allen: read, write; Jared: read), this would give Allen permission to read and write data in the file and Jared would only be able to read it.

The best practice to manage access is through groups.  A typical ACL will consist of groups with various rights – for example, the ACL will have one group which as read permissions, and another group that has read & write permission.  Then, in order to grant access, simply add users to the groups that correspond to the desired access.

In theory, it seems simple enough to control and maintain access to data by keeping the correct users in the right group, and right groups on the ACLs.

Here’s what happens in reality: links between users, groups and the data get broken over time.  Often, users are added to groups and are never removed.  ACLs are modified to include groups that aren’t related to the data the ACL was originally intended to protect – or even worse, groups are added to other groups, further complicating the situation, and cause a wider ripple effect.

In order to manage data access properly, it’s vital to ensure that security groups are actually granting access to the right sets of data.  Having that link is key to avoiding unintended consequences – like adding a user to an innocuous seeming group, but through group nesting, actually allows access to critical, or sensitive business data.

It’s All in the Details

In short, we’ve detailed how intricate the practical details are in managing data access. Yes, user provisioning access to IT resources is a form of access management and very important to security, but it’s not a proper form of data access nor is it data security.

[Podcast] Manifesting Chaos or a Security Risk?

[Podcast] Manifesting Chaos or a Security Risk?

Leave a review for our podcast & we'll send you a pack of infosec cards.

Regular listeners of the Inside Out Security podcast know that our panelists can’t agree on much. Well, when bold allegations that IT is the most problematic department in an organization can be, ahem, controversial.

But whether you love or hate IT, we can’t deny that technology has made significant contributions to our lives. For instance, grocery stores are now using a system, order-to-shelf, to reduce food waste. There are apps to help drivers find alternate routes if they’re faced with a crowded freeway. Both examples are wonderful use cases, but also have had unforeseen side effects.

Even though profits are up, empty aisles at grocery stores are frustrating shoppers as well as employees. Quiet neighborhoods that became alternate routes are experiencing traffic due to a new influx of drivers as well as noise pollution.

When there are unforeseen consequences from a technological improvement, are we manifesting chaos or a security risk?

Other articles discussed:

Tool of the week: Pown Proxy

Panelists: Kilian Englert, Mike Buckbee, Matt Radolec

[Podcast] The Security of Legacy Systems

[Podcast] The Security of Legacy Systems

Leave a review for our podcast & we'll send you a pack of infosec cards.

It’s our first show of 2018 and we kicked off the show with predictions that could potentially drive headline news. By doing so, we’re figuring out different ways to prepare and prevent future cybersecurity attacks.

What’s notable is that IBM set up a cybersecurity lab, where organizations can experience what it’s like go through a cyberattack without any risk to their existing production system. This is extremely helpful for companies with legacy systems that might find it difficult to upgrade for one reason or another. But we can all agree what’s truly difficult are the technologies that you can’t just fix with a patch, such as the Spectre and Meltdown attacks.

Other articles discussed: Hotmail changed Microsoft and email

Panelists: Kris Keyser, Kilian Englert

The Difference Between Data Governance and IT Governance

The Difference Between Data Governance and IT Governance

Lately, we’ve been so focused on data governance, extracting the most value from our data and preventing the next big breach, many of us have overlooked IT governance fundamentals, which help us achieve great data governance.

The source of some of the confusion is that data and IT governance have very similar and interdependent goals. Broadly speaking, both processes aim to optimize the organization’s assets to generate greater business value for the organization.

Since IT and data governance are so inextricably connected and vital to an organization’s operations, how about we compare and contrast the two.

What is IT Governance?

IT governance ensures that the organization’s IT investments support the business objectives, manage the risks, and meet compliance regulations.

Examples of organization’s IT investments: physical and technical security, encryption, servers, software, computer and network devices, database schemas, and backups.

It’s often argued that these investments are considered a cost center rather than a money generator. Here’s some tough talk: organizations wouldn’t be able to operate, optimize or even generate revenue without IT.

In short: no IT, no data, and no business.

But good IT operations require dedicated leadership to ensure that tech investments are maximized.

Stakeholders involved in the success of IT governance include the board of directors, executives in finance, operations, marketing, sales, HR, vendors and, of course, the chief information officer (CIO) as well as other IT management.

The key individual who’s responsible for aligning IT governance to the organization’s business goals is the CIO.

To accomplish their goals, CIOs will often use existing data governance frameworks, created by industry experts. These frameworks also provide implementation guides, case studies and assessments. Here are some frameworks you may have heard of:

COBIT 5: A staple in the industry, this framework helps enterprises with IT governance, business optimization, and growth by leveraging proven practices. This framework is based on five key principles for governance and management of enterprise IT:

  1. Meeting Stakeholder Needs
  2. Covering the Enterprise End-to-End
  3. Applying a Single, Integrated
  4. Enabling a Holistic Approach
  5. Separating Governance From Management

ITIL: IT Infrastructure Library helps with aligning IT services with the needs of the business. Most known for their framework of five core publications, each book collects the best practices for each phase of the IT service lifecycle.

FAIR: This is new framework and according to their website, “they’re a non-profit professional organization dedicated to advancing the discipline of measuring and managing information risk.  They provide information risk, cybersecurity and business executives with the standards and best practices to help organizations measure, manage and report on information risk from the business perspective.”

When it comes to frameworks, you’ll have to decide which one works with your company culture and often times, organizations will find that a hybrid approach works the best.

And with proper IT governance, the chance for data governance success increases. Why? Execution and management of systems, applications, IT support and their management of data within a company will impact data governance.

So What Then is Data Governance?

Data governance refers to the management of data in order to improve business outcomes and fuel business growth.

So far, with the exception of asset type, data governance very similar to IT governance.

The stakeholders involved for data governance include all the individuals required for IT governance plus a few more executives: the board, executives in finance, operations, marketing, sales, HR, vendors, CIO, IT management.

However, the individual responsible for aligning data with the organization’s business metrics is the chief data officer (CDO). The CDO will also enlist data scientists, programmers, and any department that generates data, which is every department within an organization.

CDOs are a recent addition to the C-suite, and they help lead companies in generating business value from data. According to Gartner, 90 percent of large organizations will have a chief data officer by 2019.

Yes, a CDO is very much a technical role, but this position also requires business and change management skillsets. After all, they have to aggregate the data, analyze the data and the most challenging of all, get the business to act on the data.

Since this data governance is a relatively new field, there aren’t established frameworks, such as COBIT 5.

But based on my research and speaking with pros at conferences, a company’s executive suite should be asking some of the following questions:

  1. What is your business strategy?
    • A data strategy isn’t going to generate a single incremental dollar for your business, it’s simply an enabler.
  2. Have you defined and communicated key objectives throughout your organization?
    • You’re going to be wasting a lot of time, money and resources solving for a problem and if you don’t know what the business problem is.
  3. Do you have the right data and is it of sufficient quality?
    • Without data quality, your data projects and analytics will inevitably fall short.

In talking with Jeffery McMillian, CDO of Morgan Stanley, I learned that he spends 90% of his time focused on the first two questions.  Based on his experience, if you don’t get these right, everything else is pretty much null.

Keep data assets safe and secure– get a free a risk assessment today.

The Difference Between Data Security and Privacy

The Difference Between Data Security and Privacy

Repeat after me, data security is not privacy. Privacy is also not data security. These two terms are often used interchangeably, but there are distinct differences as well as similarities.

Yes, data security and privacy have a common goal to protect sensitive data. But they have very different approaches for achieving the same effect. Data security focuses on protecting the data from theft and breaches. Whereas privacy governs how data is being collected, shared and used.

Let’s dig a little deeper to understand the differences.

What is Data Security

Data security focuses on the tools that deter hackers and cybercriminals from getting to your crown jewels—customers’ personal data (credit card, accounts), as well as the company’s intellectual property and trade secrets. Some of these tools include permissions management, data classification, identity and access management, and user behaviorial analytics (UBA). The synergy of these tools are theoretically supposed to deter and challenge cybercriminals from stealing your intellectual property, healthcare data, financial data, and personally identifiable information.

When Data Security is Mistaken for Privacy

It’s common for organizations to believe that if they’re responsibly managing sensitive data according to specific data security requirements, they’re also complying with data privacy requirements.

That’s just not true.

Even with the best security tools, employees or third-party vendors with access to sensitive data can mismanage it if they’re unaware of privacy policies.

But what exactly is privacy and why does it matter?

What is Privacy

Privacy is the right for an individual to be free from uninvited attention and scrutiny.

To safely exist in one’s space and freely express one’s opinion behind closed doors is critical to living in a democratic society, says Ann Cavoukian creator of Privacy by Design.

Cavoukian,  the former Information & Privacy Commissioner of Ontario, Canada says, “Privacy forms the basis of our freedom. You have to have moments of reserve, reflection, intimacy and solitude.”

This is critical because even though data breaches have been driving headline news, privacy concerns have always been riding shotgun. In other words, there’s no point in having data security if you can lose your rights to it!

You don’t want to be the company to be described as creepy in the way that you leverage your customer’s personal data – whether it is with passive location tracking, apps secretly absorbing your personal address book, or websites recording your every keystroke.

Instead, employees should be regularly trained on security and privacy so they understand the processes and procedures necessary to also ensure proper collection, sharing, and use of sensitive data.

Plus, if you’re doing business in the EU zone, you’ll be required to take consumer data privacy seriously. EU consumers will soon have strong privacy rights, including the right to explicit opt-in consent, the right to access their delete, and the right to delete it. It will be the law in 2018!

[Podcast] Who is in Control? The Data or Humans?

[Podcast] Who is in Control? The Data or Humans?

Leave a review for our podcast & we'll send you a pack of infosec cards.

Self-quantified trackers made possible what was once nearly unthinkable: for individuals to gather data on one’s activity level in order to manage and improve one’s performance. Some have remarked that self-quantified devices can hinge on the edge of over management. As we wait for more research reports on the right dose of self-management, we’ll have to define for ourselves what the right amount of self-quantifying is.

Meanwhile, it seems that businesses are also struggling with a similar dilemma: measuring the right amount of risk and harm as it relates to security and privacy.

Acting FTC Chairman Maureen Ohlhausen said at a recent privacy and security workshop, “In making policy determinations, injury matters. … If we want to manage privacy and data security injuries, we need to be able to measure them.”

A clearly defined measurement of risk and harm will become ever so important as the business world embrace deep learning and eventually artificial intelligence.

Other articles discussed:

Panelists: Kilian Englert, Mike Thompson, Kris Keyser