All posts by Ken Spinner

Another Look at Folder Permissions: Beyond AGLP

AGLP is Microsoft’s four-letter abbreviation for guiding admins in setting permissions in an Active Directory environment. Account, Global, Local, Permission just means the following: you put user accounts (A) into global groups (G), put the global groups into domain local groups (L), and then grant permissions (P) to the domain local group. Makes sense, right?

It’s a convenient way to permission users based on their roles.

All your sales people are added into the Sales group, the marketing folks into the Marketing group, etc. The domain local groups are then associated with a resource—say a file share or a printer.

You place Sales and Marketing into a domain local group called, say, Presentations, which controls access to a file share. Finally you apply appropriate permissions — read access, or read-write access — to the domain local group.

The fancy name for what I just described is referred to by another four-letter abbreviation, RBAC, or role-based access controls

Problems

AGLP has a nice side benefit. It’s far easier to audit access controls: you just focus on the domain local groups. But this comes at a price.

AGLP can’t be easily applied to selected users across multiple business roles. Several approaches have been tried to resolve this problem, known of course as SUAMBR, but with little success. In most cases, the attempts to work around AGLP’s lack of permission granularity leave the file system’s permission in a state of over-permissive access.

It’s a major problem when recertifying file permissions for certain data security regulations and compliance standards—for example, HIPAA or SOX.

What are some of the things that can go wrong with AGLP? We have a list:

  1. Over-Permissive Access to Sensitive Data Caused by Using Functional Groups

A common practice is to grant an entire functional group, business role, or global access group, permissions to a data share. Because Microsoft requires that permissions are granted through Active Directory groups, this method is widely used to provide access. Although this approach ensures that users who require access have sufficient rights, it also poses a security risk. Many unauthorized users are also granted permission to sensitive data, mainly because they are included as a member of a specific role.

  1. User and Non-Group Permissions are Directly Assigned on an ACL

Another way to manage permissions on sensitive data is to directly grant user account permissions on the folder instead of the security group. This ensures that only authorized users have access; however, it also makes permission recertification a very complicated process. It’s then difficult to effectively manage access across the file system: you’re now faced with tracking individual files and folder and updating the ACL when a user no longer requires access because of a role change.

  1. Ordinary Users are Intentionally Assigned Full Control Permissions

In many cases, administrators intentionally grant Full Control permissions to ordinary users. This approach brings a security risk: in the event of a malware or cyber- attack, Full Control permissions could be leveraged by hackers. For example, the hacker (or employee who becomes an insider threat) removes all permissions from other groups, or deletes all data within the folder. Even regular users with Full Control permissions can accidentally change folder permission settings, resulting in the loss of access or deletion of data.

  1. Ordinary Users are Unintentionally Assigned Full Control Permissions

IT administrators may unintentionally grant Full Control permissions to ordinary users by failing to limit default Owner rights. This approach also poses a security risk for the same reasons mentioned above.

It is important to note that Owner rights should be explicitly defined on the ACL with Modify permissions and not Full Control permissions. Additionally, attempts to remove Owner rights will only remove the visual display of the permission and revert the Owner rights to Full Control.

  1. IT Administrators are Unnecessarily Granted Full Control Permissions

IT administrators are usually granted Full Control permissions to all data, including sensitive data. This practice may be acceptable in tightly controlled organizations. But it’s not unusual now for administration to be outsourced to providers, where there is greater opportunity for errors, negligence and malicious behavior.

  1. Failure to Audit and Recertify Access

In most environments, there’s no clear definition of what data is considered sensitive. In cases where sensitive data is identified, having both multiple functional security groups and direct permissions can make auditing access and permission recertification a time consuming and error prone task. Data owners who fail to audit and recertify access to sensitive data risk that data being exposed by hackers.

Solutions

We have ‘em too! Check out the full list in our awesome Best Practices For Planning and Implementing NTFS Permissions For Recertification!

 

Data Retention in the Social Media Era

 A variety of industry research analysts have indicated that 3 of the top 10 priorities for IT in 2013 will be initiatives focusing on BYOD, cloud computing and business analytics obtained via Social Media.  While these initiatives provide clear business benefits, they will challenge data retention and records management policies for most organizations.

BYOD, cloud computing and social media have a common thread – they all create data repositories that have been geared towards the non-IT consumer, where governance, management and retention have taken a backseat to ease of use.  With the introduction of these technologies into the enterprise, companies are obligated to develop backup, archiving, and classification strategies to ensure that relevant data is available in the event of litigation and a discovery request.

The Federal Rules of Civil Procedure state that the moment a company receives a legal hold request they must not dispose of data without having a clearly defined and demonstrable retention and disposal policy. These policies cannot be developed and implemented in the midst of litigation as an opposing  litigant could claim that destruction of data was intentional, resulting in damages and penalties awarded to the opposition.

In the article, eDiscovery Rules Applied to Social Media: What This Means in Practical Terms for Businesses, statistics show that the FRCP rules are being enforced— sanctions were ordered in 50% of the cases where sanctions were sought, with a few resulting in large monetary penalties. Needless to say, companies are compelled to comply.

While many companies have chosen the pack-rat approach – save and archive all of the data they manage, including customer data, personal data, etc., this approach is not practical due to ever increasing volumes of data, especially when considering the information generated by mobile devices and social media.

In the event that a company does need to develop a defined retention policy that takes these initiatives into account, their requirements should be part of a larger blueprint for securing their data, linking their retention strategies with governance and accessibility.  These 6 steps provide some basic guidelines:

  1.  Determine the age at which each type of data that has not been accessed would be considered stale – 1 year?  2 years? 5 years?
  2. Implement a solution that can identify where stale data is located based on actual usage (not just file timestamps)
  3. Automate the classification of data based on content, activity, accessibility, data sensitivity and data owner involvement
  4. Automatically archive or delete data that is meets your retention guidelines
  5. Automatically migrate data that is stale but contains sensitive information to a secure folder or archive with access limited to only those people who need to have access (e.g. the General Counsel)
  6. Make sure your solution can provide evidence (e.g. reports) of your defensible data retention and disposal policy

Image Credit: File Upload Bot (Magnus Manske)

My Grandmother Uses Dropbox — Why can’t I?

My first involvement with tech occurred in the early 80s. I recall the days of modems, time division multiplexors, acoustic couplers, and dipswitches.  Most people don’t realize it, but cloud based file sharing existed in the 80s, but required an account with a major X.25 “cloud” service provider, such as Tymnet or Telenet.

At the risk of sounding nostalgic, back in the day, only people who had a keen interest in electronics (mainly, those of us under 30) were exposed to these esoteric products.  Neither my grandmother nor my mother understood technology and, frankly, I never tried to explain it to them.  It was a language that only a privileged few could understand. That has certainly changed.

Today, grandma owns an iPad, has a Twitter account, does her banking online, and knows what megapixels are. She texts, tweets, and takes pictures…lots of pictures.  She happily uses the modern cloud to post pictures on Dropbox so her niece—who is going to school for archeology in the Middle East—can see the scarf grandma is knitting her for Christmas.

So, if grandma can use Dropbox, WHY…CAN’T…I?

That’s a question that business areas are asking IT professionals on a daily basis.

In order to answer the question, we need to examine why grandma is using Dropbox.  Simply speaking – it’s easy to use.  Grandma logs in with her username and password, drags and drops her scarf photo, and voila, her niece can download and view the picture almost instantly.

Unlike previous X.25 cloud services like Tymnet and Telnet, current cloud-based file sharing services, including Dropbox, have done a fantastic job adhering to the mantra – “Simplicity as a Design Goal.”  Many other consumer-oriented services and products also have gained widespread adoption following the same blueprint – e.g., the iPod.

So, when the person who runs the HR Department comes to you and tells you that she’ll be using Dropbox to share employee information with a vendor (just as easily as she shares her family photos), what do you tell her?  And, more importantly, what alternative can you provide her for sharing sensitive information with third parties?

Here’s a list of 5 tactics you can use:

1. Explain that consumer-oriented web sites don’t provide the same level of protection as modern enterprise IT systems.

2. Explain that while protecting pictures of a scarf with a username and password may be appropriate, protecting data which contains an employee’s social security number, home address, and medical information deserve more than password protection.

3. Explain that data breaches occur on a regular basis on cloud based services and losing data can cause irreparable harm to a corporation.

4. Explain that regulatory requirements force many companies to review entitlement on an ongoing basis, to verify access by auditing data use, and to encrypt certain types of data. Most cloud-based file sharing services do not allow for these types of controls.

5. Explain that there are alternatives! Specifically, there are products that can provide similar functionality, that are easy to use, that can be used to share both employee records and pictures of a scarf, without sacrificing security.

Interestingly enough, according to a 2010 report, the fastest growth on social networking sites came from internet users 74 and older.  Enough said.  Now please excuse me while I go play Pong.

Image credit: http://en.wikipedia.org/wiki/File:Televideo925Terminal.jpg

Top 5 Reasons Why Organizations Want a Dropbox Alternative

Dropbox fail During a recent visit to Brazil, I encountered many customers and partners who faced a similar challenge – providing their clients with a safe, secure and genuinely easy way to share files and collaborate with data.  All faced a number of barriers and none were happy with the current offerings of cloud based file sharing solutions.  Generally speaking:

  • All required a secure way to share files with internal and external people– partners, vendors and employees
  • All tried to block access to file sharing sites and no one thought they were successful in doing so
  • All were concerned about the additional resource requirements to manage and control cloud file shares
  • Many wanted the same user experience and processes  for internal  and external collaboration
  • Not one had a plan to fulfill these requirements
  • All were required by the business areas to provide a solution in the near term

The following 5 criteria summarize their requirements, which are not currently fulfilled by cloud based file sharing solutions:

1. Ongoing guarantee of rightful access

Customers clearly state that the security of cloud based file sharing solutions is a primary concern.  They require a comprehensive audit trail of all usage activity, the ability to ensure permissions are granted and revoked at the appropriate times by the appropriate people, and the ability to develop different profiles for different data and people based on data sensitivity, customer location, and role.

2. Ability to leverage existing infrastructure and processes

Customers want to leverage their existing infrastructure and processes instead of purchasing a new solution, and have no wish to reinvent their processes for managing data on a third-party cloud solution.  Customers have processes and applications to perform backup, archival, provisioning and management of existing infrastructure, and they are confused about how to perform these functions within a cloud-base file sharing solution.

3. Ensuring Reliability with Accountability

IT organizations have defined service levels for their internal clients,  and are accountable for the delivery of each service. If they don’t deliver, there is no question about whose responsibility it is.  Service levels associated with cloud based file sharing must be negotiated like other third party services – there are typically few guarantees of performance and remedies for non-performance are limited.

4. Providing an intuitively simple user experience

Regardless of the solution, IT Managers are very concerned about a new user experience for their clients.  Most indicate that a different user experience will require training, impact the number of calls for support, and reduce productivity at least temporarily.  Ultimately, IT Managers would like leverage the user experience that their user population has already mastered.

5. Predictable expense

Typical cloud based file sharing solutions are priced based on amount of storage— storage requirements often grow at a surprising rate. Customers may need to negotiate storage costs with cloud providers on an ongoing basis.

Try DatAnywhere!

What Do U.S. Security Legislation and Insurance Companies Have in Common?

Answer:  Both may affect the way businesses determine what constitute appropriate security measures.

In February, Senators Joe Lieberman, Susan Collins, John D. Rockefeller IV, and Dianne Feinstein introduced the Cybersecurity Act of 2012. The intent of the Act is to give the Department of Homeland Security (DHS) additional power to set cyber security standards for private companies that operate the nation’s critical infrastructure. Simply speaking, the intent of the bill is to:

  1. Identify risk via cooperation between DHS and private corporations
  2. Protect critical infrastructure (although what exactly constitutes critical infrastructure is yet to be defined)
  3. Improve information sharing about security issues and events between DHS and private corporations

According to the Homeland Security Website:  “The bill would authorize the Secretary of Homeland Security, together with the private sector, to determine cyber security performance requirements based upon the risk assessments. The performance requirements would cover critical infrastructure systems and assets whose disruption could result in severe degradation of national security, catastrophic economic damage, or the interruption of life-sustaining services sufficient to cause mass casualties or mass evacuations. The bill would only cover the most critical systems and assets in a given sector, and only if they are not already being appropriately secured.”

The website goes on, “Owners of “covered critical infrastructure” would have the flexibility to meet the cybersecurity performance requirements in the manner they deem appropriate. The private sector also would have the opportunity to develop and propose performance requirements for “covered critical infrastructure.”

http://www.hsgac.senate.gov/download/the-cybersecurity-act-of-2012-s-2105_-summary

In this regard, if this bill is passed, companies that operate anything that might be lumped into the category of critical infrastructure (i.e. financial, energy, food, medical, healthcare, etc.) may need to rethink their risk tolerance, security engineering methodologies and security operations practices.  If your company does operate critical infrastructure,  the Department of Homeland Security may soon police your security engineering efforts.

Coincidentally, the Insurance industry is also affecting how Security Admins determine appropriate security measures for their companies.  Cyber insurance was created to protect the interests of companies in the event of a loss due to a variety of different issues including data breaches, cyber-extortion, content liability, penalties for civil actions resulting from failure to comply with a specific regulation, virus liability, cyber terrorism, loss of income due to hacking, DOS attacks, etc. While cyber insurance may be worthwhile, as those of us with homeowners or automobile Insurance know, insurance policies always contain a list of exclusions.

Cyber Insurance is no different.  Notable exclusions can include such vague statements such as:

  • Loss caused by an employee, officer, director, owner, independent contractors
  • Failure to follow minimum required practices
  • Failure to take reasonable security measures

Given that Security Admins are paid to take “reasonable” security measures, it’s hard to imagine how these exclusions will be interpreted in the event of a breach.  Only an attorney can determine the actual impact of these exclusions.  Ultimately, Security Admins are compelled to work with their legal department and other business areas to ensure that their Cyber Insurance policy provides coverage in the event of a breach.   In this regard, insurance companies may influence your security engineering efforts, as well.

In a recent trade show, an attendee told me that his company was forced to purchase Cyber Insurance.  When I asked him why, he indicated that one of his customers required Cyber Insurance as a condition of doing business with them.  This customer understood that a prerequisite to determining which Cyber Insurance policy was appropriate was to involve business data owners who are best prepared to determine the risk associated with their area of interest.  Many companies have recognized the value of including business areas and specifically data owners in security engineering planning.

The Cyber Security Act of 2012 and Cyber Insurance are two motivating factors which will encourage companies to better understand risk and tolerance, and foster cooperation between IT security and data owners.

http://www.iqpc.com/uploadedFiles/EventRedesign/USA/2011/November/20810001/Assets/2011-The-Rapidly-Evolving-Nature-of-Cyber-Risk.pdf

http://www.cpcusociety.org/file_depot/0-10000000/0-10000/3267/conman/CPCUeJournalDec08article.pdf

Another Great Trade Robbery

“The Great Trade Robbery” – currently used in the context of questionable international trading policies and lopsided sports team player trades—now has yet another meaning. Two recent articles about Digital Espionage and IP theft by the Chinese Government and Chinese businesses describe a new trade robbery that has apparently been going for some time, and the extreme measures some organizations are taking to protect themselves.

A recent New York Times article discussed how employees now must travel “electronically naked,” meaning leave all electronic devices at home, as just about everything you carry with you digitally—your personal information, your contacts, your login credentials, your company’s Intellectual Property—will get stolen. The article went on to say, “The Chinese are very good at covering their tracks,” stated a former F.B.I. agent. “In most cases, companies don’t realize they’ve been burned until years later when a foreign competitor puts out their very same product — only they’re making it 30 percent cheaper.”

It makes sense that we become a little more circumspect with the information we carry around. Most of us wouldn’t tote our life savings in cash around the block (much less to China) without a very good reason to do so. A single smartphone can now be a gateway into our digital realm (as well as our life savings, because there’s an app for that). A Trojan installed or outright theft can conceivably lead to the theft of your entire digital life-savings and your organization’s valuable data.

A Business Week article, “Hey China, Stop Stealing our Stuff,” provided additional detail about China’s questionable “trading” practices, including sanctioned hacking of foreign entities by the Chinese Government.  The article included a few examples of the impact on the victims – millions of dollars lost, a significant drop in stock price, and a loss of customer confidence.

So we can’t just keep our data at home, apparently. We have to continue to be vigilant even on our “trusted networks.”

China represents a huge market, but these articles illustrate that companies doing business in China or with Chinese interests must begin to think about mitigating new levels of risk, and in some cases take drastic actions like traveling “electronically naked” to minimize potential exposure.

Putting China and extreme security aside for a second, how is your organization doing at some of the more basic data protection tasks? For example:

  • Do you know for certain where all the intellectual property in your organization resides?
  • Do you know who can and does access it?
  • How often is access reviewed?
  • Does the organization allow intellectual property to be accessed or stored on laptops?
  • Does the organization allow intellectual property to be accessed or stored on remote devices, such as smartphones or tablets?

If the answer is “no” to the first two questions, for example, forget about keeping your data secret from China—you may not be able to keep it secret from your kids.

What are you most concerned about when considering your organizations Intellectual Property? Please take our informal poll.

Forensic Investigation of Data Theft (Part 3)

In my last post, we determined that someone added a fictitious user account, “Allen Carey,” to Active Directory and this account was used to steal trade secrets from “Alpha Chemicals.” Fortunately, you had the foresight to install the DatAdvantage suite of products which will help recreate the activities performed by “Allen Carey” but more importantly, will help you ensure that your trade secrets are properly protected and monitored.

As you know, DatAdvantage provides a full audit trail, tracking both event activity and permission changes in a single interface.   As a result, complex activities–such as correlating the activities performed by any user account across multiple platforms–is a simple task.  In our hypothetical situation, the activities performed by “Allen Carey” were performed within Active Directory, within Windows Servers, within SharePoint and within Exchange. The “Allen Carey” account made permission changes and was used to obtain sensitive information–information that could devastate the financial future of our hypothetical company, “Alpha Chemicals.“

By using DatAdvantage you’ve determined the following:

  1. On November 18th at 6am (during the company’s change management window), Carol Edwards domain admin account was used to create a new user, “Allen Carey”
    1. Carol Edwards then  added “Allen Carey” to the domain admins group
    2. Carol added “Allen Carey” to the R&D group within Active Directory
    3. Carol added “Allen Carey” as a delegate to Bob Darwin’s Exchange Mailbox
    4. Carol then added send-as permissions to “Allen Carey’s” email account as well as a number of others
  2. On November 18th at 6:30am Carol Edwards subsequently removed “Allen Carey’s” account from the domain admins group
  3. All of the above changes were made from the from the IP address 10.4.2.3

DatAdvantage also revealed that:

  1. Between November 18th and December 1st, “Allen Carey” performed a number of underhanded activities including:
    1. Opening documents which contained the words “Transparent Aluminum” within the the R&D SharePoint Site
    2. Opening documents which contained the words “Transparent Aluminum” within the R&D File Server and reading each of the relevant files
    3. Opening documents which contained the words “Transparent Aluminum” within the R&D public folders and reading each of the relevant files, also from the IP address 10.4.2.3
    4. Reading email sent to Bob Darwin, who worked in R&D and specifically within the “TP” Group
    5. Marking all of the Email messages that he viewed as “unread”
    6. Using the SharePoint site to learn about collaborative activities within the R&D department
    7. Reviewing financial analysis documents sent by Bob Darwin to the finance department
    8. Using his Exchange “send-as” permissions to email documents to Bob Darwin’s new public email account (that “Allen Carey” created)
  2. After a very brief investigation, you found that Michael Allen, a temporary employee, was using a workstation with the IP address 10.4.2.3, the same workstation used by “Allen Carey”

Mystery Solved

The above information was used to determine exactly what happened: On November 1st,  Michael Allen began work as a contract employee performing basic network administration for “Alpha Chemicals.” Michael was the type of person you’d like your daughter to date–nice, charming and intelligent.  He was a quick study, sociable, and quickly made friends with many people in R&D, application development, infrastructure engineering and operations.  On November 2nd, while troubleshooting a network problem using a packet sniffer, Michael encountered  a number of packets which contained the words “Transparent Aluminum” and “Confidential.”  Michael proceeded to approach a man by the name of Bob Darwin who worked in the R&D department and asked him what he knew about the compound, “Transparent Aluminum.”  Bob revealed no information other than stating that it was the companies next blockbuster product.  In mid-November Michael started dating a girl by the name of Carol Edwards.  Carol had been with Alpha Chemicals for 20 years and enjoyed Michael’s company. Carol was a Domain Administrator within the IT Department with responsibility for all of the R&D servers, meaning  Windows 2003 and 2008 File Servers, Solaris Servers, SharePoint R&D Sites and both EMC and NetApp NAS storage.   Dawn Franklin was a close friend of Carol’s .  Dawn was the Exchange administrator and had Exchange Admin privileges within the entire Exchange environment. Michael, Carol and Dawn frequently ate lunch together and were also frequent visitors to the local pub, Scruffy’s.  Apparently on November 17th, after a drink-fest at Scruffy’s, Michael obtained Carol’s domain admin password…and “Allen Carey” was conceived.

Intelligent Forensics

Companies require the ability to correlate malicious activities performed on disparate platforms with context about the sensitivity of company data, and authorization/permission changes. For example, in the above scenario, a company would require the ability to:

  • Monitor Active Directory user and group permission changes
  • Monitor access activity by domain administrators and local administrators
  • Monitor access activity within SharePoint Servers
  • Monitor Access activity within Windows 2003 and Windows 208 File Servers
  • Monitor permission changes within Exchange
  • Monitor access activity within Exchange mailboxes
  • Monitor access activity within Exchange Public Folders
  • Determine where their sensitive information is located
  • Monitor email opened by people other then the owner of the mailbox
  • Monitor email transmitted outside the company
  • Monitor email sent by people other then the owner of a mailbox
  • Monitor the people who are marking email as “unread”

DatAdvantage provides these capabilities. Want to see for yourself? Sign up for a free 30-day evaluation of the entire Varonis Data Governance Suite today.

Forensic Investigation of Trade Secret Theft (Part 2)

In our recent blog post, we discussed a hypothetical situation where the General Counsel of “Alpha Chemicals” approached you and requested a whole bunch of information about “Allen Carey,” including documents he accessed and email messages he read related to the company’s blockbuster product, “Transparent Aluminum”, and a list of permissions that “Allen” had to various IT resources. Well, in parallel to his request for this information, the General Counsel also questioned the HR department and discovered that though “Allen Carey” had performed malicious activities, according to the HR department, “Allen Carey” didn’t exist!!

While not directly relevant to IT Security (but directly relevant to this scenario), in 1973, the most popular show on television was M*A*S*H. In one episode the lead character, Hawkeye Pierce, created a fictitious character, “Captain Tuttle.” During the episode, Captain Tuttle’s persona morphed from imagination to legend within the hospital, as “Captain Tuttle” was responsible for a number of very heroic actions, yet no one ever saw him. The episode ends with “Captain Tuttle” dying in a tragic accident, the only proof of his existence the dog-tags found near the accident site. That was the extent of forensics performed in this very funny comedy.

While our hypothetical situation may seem like it was created for a Hollywood comedy, what would you do if it was determined that a fictitious person named “Allen Carey” performed malicious activities that resulted in the loss of your companies trade secrets? What type of information would you require to perform an investigation? Minimally, you would require the ability to answer the following questions:

  1. Who created Allen Carey’s user account, and when?
  2. Was Allen Carey’s user account added to or removed from any group or Access Control List, and by whom?
  3. Can you provide a record of any email accounts where Allen Carey might have had send-as or send-on-behalf of privileges, when he got those permissions, and who granted them?
  4. Which, if any, other user accounts accessed files from the workstation that Allen Carey used?

In order to provide the General Counsel with the answers to the above questions, you would need to be auditing administrative access to Active Directory and Exchange. You would also need to correlate access activities from a specific workstation to the user accounts that used that workstation. Most importantly, you would require a product that would provide historical reporting with the ability to correlate all relevant variables. AND, you would need to provide this information quickly. Of course, the General Counsel also requires the previous information he requested, as he still needs to know about the documents that Allen Carey accessed, the email messages that he read, and a list of the permissions that he had to various IT resources.

In the next blog, we will dissect the forensics process in detail.

Forensic Investigation of Trade Secret Theft

Imagine this:

You’re working in Security Operations for a major chemical company and the General Counsel shows up at your desk and asks you to provide the following information about the company’s next generation space-aged polymer, commonly known as “transparent aluminum:”

  • All documents accessed by a specific employee, “Allen Carey”
  • Any documents that contain the name of a chemical compound known only by its code name, “transparent aluminum”
  • A list of email messages that:
    • were sent by “Allen Carey”
    • include in the email subject field the words “transparent” or “aluminum”
    • include any attachments that were sent by “Allen”
    • include the names of the recipients that Allen communicated with
    • include how these email messages were sent, i.e. via Outlook Web Access, the Outlook client, etc.
  • A list of the permissions that Allen has had on all relevant systems since the development of the “transparent aluminum” began in 2010, including
    • Windows File Servers
    • Unix Development Servers
    • Exchange Email Servers
    • SharePoint Servers
  • A list of all locations where documents or email messages which contain the word  “transparent aluminum” were transmitted or taken
  • A list of the permissions of the recipients of the messages Allen has sent and what they have done with the information they received from him

The General Counsel goes on to say that the company’s financial future depends on it.  He doesn’t give you any other information, but apparently Allen Carey is suspected of selling the formula for this polymer to a group of individuals with ties to organized computer crime. He seemed like such a nice guy…

Before we get into the forensic requirements of these scenarios, it’s important to understand why protecting trade secrets is different than protecting normal business data.  As most Security Administrators know, the protection of electronic data is a challenge for most companies.  Protection of trade secrets presents even more of a challenge. While Security Administrators are usually very good at protecting ordinary business data, they usually don’t have either the forensic tools to proactively address discovery requests for information about trade secrets or to determine that a trade secret has been compromised. In addition, trade secrets are typically the result of years of research, marketing efforts and development and usually incur a high cost. Examples of commercial trade secrets could be the formula for your favorite beer or the design schematics for the next generation iPhone.  Federal trade secrets might include the plans for a new military intelligence device or a chemical compound used in the creation of a new aircraft.

From a legal perspective, in the United States trade secrets are protected by Federal laws and regulations.  For example, the Economics Espionage Act of 1996 governs industrial espionage and trade secret theft.  These laws were developed to promote economic security and protect innovation so that companies can develop products with the assurance that the government will intervene if important intellectual property is compromised.   According to the Economic Espionage Act, a trade secret, has three parts to it: 1. information, 2. reasonable measures taken to protect the information, and 3. something which derives independent economic value from not being known.  While the courts are busy trying to interpret what the second component, “reasonable measures” actually means, Security Administrators must develop an electronic forensics, entitlement management, and control plans, and architect their security instrumentation accordingly.

Basically, the General Counsel wants a digital play-by-play for Allen Carey, reviewing every step that Allen took during his journey into computer crime.  Although this scenario has been painted as hypothetical, it does and has actually occurred in a number of trade secret theft cases, including those identified below.  Although the information included with each example is brief, the message is clear: trade secrets are a challenge to protect and instrumentation must be available to monitor when trade secret theft is occurring. Some examples:

  • United States v. Jin – In this case, while on Company A’s internal network, defendant Jin downloaded over 200 technical documents belonging to Company A.
  • United States v. Pani – Pani, the defendant in this case, was employed by both Intel and AMD.  Pani allegedly used his Intel issued laptop computer to download 13 Intel documents which were classified as  “Top Secret.”  Pani then copied the downloaded files to his external hard drive.
  • United States v. Roberts and Howley – In this case, the defendant allegedly used his mobile phone to take 7 photographs of “Goodyear’s roll over ply-down device.”  He then allegedly downloaded the 7 pictures to his personal email account and emailed the pictures to his work email account.  The defendants then transmitted the photographs to other Wyco employees to be used to assist Wyco in constructing their own roll over ply-down device so that they (Wyco) could complete a contract with a Chinese tire manufacturing company.
  • United States v. Zeng – The defendant, Zeng, was a chemist for International Paint.  He had access to an epoxy-based intumescent fireproofing material . He allegedly downloaded the formula for this material, printed it out.  He also emailed people in China with the goal of forming a chemical  company to develop and sell chemicals, including the identified fireproofing material.

Based on these actual cases, it’s clear that Security Administrators cannot rely solely on native tools or on products which provide a false sense of security about preventing data theft. Theft occurs via email, printing, mobile phones, cameras, and external media – no product alone will provide absolute prevention.

So, with these cards clearly stacked against the IT department, what should companies do to protect the most valued of valuable data, specifically their trade secrets?  How should Coke protect the formula for Coke?  How should McDonalds protect their special sauce?  How should Apple protect their designs for their new iPod or iPad?  How should your company protect what it considers the most important data that it owns? This type of data theft affects the brand and ultimately results in economic loss to the company.

In my next blog I’ll address the General Counsel’s requirements and demonstrate how forensics investigations are easily achieved using Varonis DatAdvantage and DataPrivilege.

 

Substantially Reducing Risk by Cleaning Up Access Permissions

The article, “The Art of Profiling Cyber Criminals” within Dark Reading on December 8th, 2011 provides a brief outline of the characteristics of a typical cyber criminal.  The article is of interest because of its detailed description of the malicious insider.  Of particular interest is the following quote:

“Around 65 percent of malicious insiders have already lined up new job with a competitor or started their own firm at the time of the data theft. More than half begin stealing information within a month of leaving their employer. “  The article goes on to say, “Three-fourths take information that they have legitimate access to in their jobs, and more than half of these cases involve the theft of trade secrets.”  Therefore, based on this study, 25% of the insiders who steal sensitive company information should NOT have had access to the information to begin with.

In this age where most IT purchasing decisions are reduced to an ROI calculation, there can be no denial that providing the ability to reduce data theft by 25% (simply by better control of access permissions) provides a very obvious ROI to those companies who are challenged with protecting intellectual property.

Authorized Access – Understanding how US laws affect your authorization p...

In 1986, the United States Congress passed the Computer Fraud and Abuse Act (CFAA).  While the intent of these laws were originally to protect government computers and information from hackers, the laws have been applied to commercial interests, as well. Specifically, the Computer Fraud and Abuse Act subjects punishment to anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”  While it is not our position to advise clients on this topic, it is important to understand how the US Courts interpret the phrase “authorized access,” and “exceeds authorized access.”

Through litigation, the US legal system has attempted to interpret the CFAA and determine the legal definition of “authorized access” and “exceeds authorized access.” Before getting into the value of Varonis features, it is essential to review the prevailing case law and judicial opinions about this topic.  While there have been a number of cases addressing this issue, there are two cases and an opinion by a US District Court that stand out, each of which provides a basis for current legal decisions that address authorization issues.  Not surprisingly, most available case law involves data “theft” by individuals who, at some level, had permission to access the information that they accessed.  For example:

  • USA v Nosal – In this case Nosal (a former employee of Korn/Ferry) obtained proprietary information from his former co-workers which he used to start a competing business. The former co-workers had authorization to access the information via the access permissions provided to them by Korn/Ferry, but the courts challenged whether they “Exceeded Authorized Access” because they signed a Non-Disclosure Agreement as well as an Acceptable Use Policy.
  • LVRC Holdings LLV v. Brekka – Brekka (an employee of LVRC) emailed business documents to his and his wife’s personal email accounts. Brekka had permission to access the business documents and LVRC did not have an acceptable use policy, so Brekka did not violate any access restrictions and ultimately maintained “Authorized Access.”
  • The United States Seventh Circuit District Court has stated that “an employee accesses a computer without authorization the moment the employee uses a computer or information on a computer in a manner adverse to the employer’s interest.”   This opinion stated that access permissions were only one factor in determining authorized access.  In this case, the access permissions available to the employee were considered, as well as whether the employee used these permissions and data in a manner which was detrimental to his employer’s interests. In other words, regardless of the permissions available to an employee, a “disloyal” employee may be guilty by accessing information available to them with ill-intent.  Other courts have offered differing opinions about this specific issue, creating additional confusion.

As you can see, the ability to determine what constitutes authorized access is still subject to interpretation in the courts. Acceptable Use policies and Non-Disclosure Agreements are important, but they are only useful after an incident has taken place.  Written policies and expectations of loyalty don’t safeguard important data and they don’t prevent disloyal employees from using data to their advantage.  Ultimately, IT Administrators must enforce rightful access via best practices–data owner involvement in authorization processes in conjunction with an audit trail to validate acceptable use. In other words, access should be granted purposefully and periodically reviewed.

Varonis products provide the following features which will help to address the legal issues identified above:

  • Complete visibility into the permissions that each individual has across Windows, Unix, Linux, SharePoint and Exchange environments
  • A full audit trail which demonstrates whether an employee has accessed data that an employer would consider important or inappropriate
  • The ability to ensure rightful access, involving data owners in the decision making process
  • The ability to determine the sensitivity of data, as defined by data owners
  • A provisioning system complete with an audit trail which can report on why a person was granted access to a resource, when, and by whom
  • Automated entitlement reviews to ensure that permissions are always appropriate

Moral of the story: Make every effort to ensure and validate rightful access so that you can peacefully co-exist with the vagaries of the law. Varonis products can ensure ongoing authorized access and provide information to support a claim that a person exceeded their authorized access.