All posts by Michael Buckbee

[Podcast] Cyber Threats Are Evolving and So Must Two-Factor

[Podcast] Cyber Threats Are Evolving and So Must Two-Factor

Leave a review for our podcast & we'll put you in the running for a pack of cards.


Finally, after years of advocacy many popular web services have adopted two-factor authentication (2FA) as a default security measure. Unfortunately, as you might suspect attackers have figured out workarounds. For instance, attackers that intercept your PIN in a password reset man-in-the-middle attack.

So what should we do now? As the industry moves beyond 2FA, the good news is that three-factor authentication is not on the shortlist as a replacement. Google’s identity systems manager, Mark Risher said, “One of the truths we’ve found is that people won’t accept more security than they think they need.”

There have been talks about using biometrics as a promising form of authentication. In the meantime, know that using 2FA is more secure than using just a password.

Other Articles Discussed:

Panelists: Rob Sobers, Mike Buckbee, Kilian Englert

[Podcast] Budgets and Ethics

[Podcast] Budgets and Ethics

Leave a review for our podcast & we'll put you in the running for a pack of cards.


Right now, many companies are planning 2018’s budget. As always, it is a challenge to secure enough funds to help with IT’s growing responsibilities. Whether you’re a nonprofit, small startup or a large enterprise, you’ll be asked to stretch every dollar. In this week’s podcast, we discussed the challenges a young sysadmin volunteer might face when tasked with setting up the IT infrastructure for a nonprofit.

And for a budget interlude, I asked the panelists about the growing suggestion for engineers to take philosophy classes to help with ethics related questions.

Other Articles Discussed:

Tool of the week: honeyλ, a simple, serverless application designed to create and monitor URL {honey}tokens, on top of AWS Lambda and Amazon API Gateway

Panelists: Kilian Englert, Mike Thompson, Mike Buckbee

[Podcast] Is Data Worth More Than Money?

[Podcast] Is Data Worth More Than Money?

Leave a review for our podcast & we'll put you in the running for a pack of cards.


When it comes to infosecurity, we often equate treating data like money. And rightfully so. After all, data is valuable. Not to mention the human hours devoted to safeguarding an organization’s data.

However, when a well-orchestrated attack happens to destroy an organization’s data, rather than for financial gain, we wondered if data is really worth more than money.

Sure you can quantify the cost of tools, equipment, hours spent protecting data, but what about intellectual and emotional labor? How do we assign proper value to the creative essence and spirit of what makes our data valuable?

Other Articles Discussed:

Panelists: Mike Buckbee, Kilian Englert, Mike Thompson

Data Security Software: Platforms Over Tools

Data Security Software: Platforms Over Tools

As recent security incidents like NotPetya, Wannacry and the near daily data breach reports have shown, data security isn’t getting easier. And it’s not because IT groups aren’t putting in the work.

IT and Infosec Is Just Fundamentally Getting More Complex.

New internal and external services are being added constantly, and each service requires management. These days you need everything from data classification to auditing to risk management to archiving in order to stay compliant and secure. These applications and services are challenging enough to run smoothly, and often are accompanied by a dump truck full of wildly complex regulatory or legislative requirements like GDPR.

So how do you do more with less? How do you start to deal with these issues at a fundamental level instead of playing Whack-A-Mole with the security of each new product? You need a place to stand.

Which Is Why we’ve Created the Varonis Data Security Platform.

The Varonis Data Security platform solves these challenges with a unified, integrated solution:

  • Monitor and analyze file activity and user behavior
  • Discover overexposed sensitive data
  • Detect unusual behavior on your network (no matter the user or application)
  • Easily model and cleanup permissions on your network
  • Detect unneeded access and unused data that’s making you vulnerable

All of which lets you do things like:

  • Investigate suspicious users
  • Automatically react to anything behaving like ransomware
  • Alert on permissions changes or unusual access to sensitive data
  • Automate reporting and auditing

See how all of this comes together in a quick three minute overview of the Varonis Data Platform:

 

[Podcast] In the Dark about Our Data

[Podcast] In the Dark about Our Data

Leave a review for our podcast & we'll put you in the running for a pack of cards.


It’s been reported that 85% of businesses are in the dark about their data. This means that they are unsure what types of data they have, where it resides, who has access to it, who owns it, or how to derive business value from it. Why is this a problem? First, the consumer data regulation, GDPR is just a year away and if you’re in the dark about your organization’s data, meeting this regulation will be a challenge. Organizations outside the EU that process EU citizens’ personal data, GDPR rules will apply to you.

Second, when you encounter attacks such as ransomware, it’s a bit of a mess to clean up. You’ll have to figure out which users were infected, if anything else got encrypted, when the attack started, and how to prevent it from happening in the future.

However, what’s worse than a ransomware attack are ones that don’t notify you like insider threats! These threats don’t present you with a ransomware-like pop-up window that tells you you’ve been hacked.

It’s probably better to be the company that got scared into implementing some internal controls, rather than the one that didn’t bother and then went out of business because all its customer data and trade secrets ended up in the public domain.

In short, it just makes good business and security sense to know where your data resides.

Other articles discussed:

Tool of the week: DNSTwist

Panelists: Mike Thompson, Kilian Englert, Mike Buckbee

[Podcast] What Does the GDPR Mean for Countries Outside the EU?

[Podcast] What Does the GDPR Mean for Countries Outside the EU?

Leave a review for our podcast & we'll put you in the running for a pack of cards.


The short answer is: if your organization store, process or share EU citizens’ personal data, the EU General Data Protection Regulation (GDPR) rules will apply to you.

In a recent survey, 94% ­of large American companies say they possess EU customer data that will fall under the regulations, with only 60% of respondents that have plans in place to respond to the impact the GDPR will have on how th­ey handle customer data.

Yes, GDPR isn’t light reading, but in this podcast we’ve found a way to simplify the GDPR’s key requirements so that you’ll get a high level sense of what you’ll need to do to become compliant.

We also discuss the promise and challenges of what GDPR can bring – changes to how consumers relate to data as well as how IT will manage consumer data.

After the podcast, you might want to check out the free 7-part video course we developed with Troy Hunt on the new European General Data Protection Regulation that will tell you: What are the requirements?  Who will be affected?  How does this help protect personal data?

[Podcast] Tracking Dots, Movement and People

[Podcast] Tracking Dots, Movement and People

Leave a review for our podcast & we'll put you in the running for a pack of cards.


Long before websites, apps and IoT devices, one primary way of learning and sharing information is with a printed document. They’re still not extinct yet. In fact, we’ve given them an upgrade to such that nearly all modern color printers include some form of tracking information that associates documents with the printer’s serial number. This type of metadata is called tracking dots. We learned about them when prosecutors alleged 25-year-old federal contractor Reality Leah Winner printed a top-secret NSA document detailing the ongoing investigation into Russian election hacking last November and mailed it to The Intercept. Rest assured the Inside Out Security Show panelists all had a response to this form of printed metadata.

Another type of metadata that will be discussed in the Supreme Court is whether the government needs a warrant to access a person’s cell phone location history. “Because cell phone location records can reveal countless private details of our lives, police should only be able to access them by getting a warrant based on probable cause,” said Nathan Freed Wessler, a staff attorney with the ACLU Speech, Privacy, and Technology Project.

Other articles discussed:

  • Malware installed on a router can take control over a device’s LEDs and use them to transmit data
  • Twitter product, Studio has vulnerability that allowed tweeting from any account
  • Commenting secret code on Britney Spears’ Instagram account

Inside Out Security Show panelists: Mike Buckbee, Kilian Englert, Forrest Temple

US State Data Breach Law Definitions

US State Data Breach Law Definitions

We discussed in Part 1: A Guide to Per State Data Breach Response the importance of understanding what classes of data you have in your control.

We stress this point as it’s easy to get lost in the different numerical conditions around per state data breach disclosure. What’s often not considered is that due to differences in how a state defines Personally Identifiable Information (PII), what may be considered a data breach in North Dakota might not be a data breach in Florida.

Typically “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Also, it’s important to remember that these data points are combinatorial. For example, emailing a spreadsheet of Social Security Numbers that did not include associated first and last names likely wouldn’t be considered sufficient to trigger data breach disclosures in most cases.

All of this results in the need to understand exactly what information was lost in a breach.

Common PII Definitions

Almost all states consider a mixture of:

  • First Name or Last Name
  • Social Security Number
  • State ID (Driver License, Passport) – Given that these are per state laws, they are often keenly interested in disclosure of Driver’s License numbers, Passport information, etc.
  • Financial Account Information (account code, passcode, password). Typically this is summarized as “any ability to access a financial account” and encompasses anything that might be used for access to bank, credit card, retirement, investment or savings accounts. The definition is broad enough to include things like cryptocurrencies as they’re clearly financial in nature.

With that as the baseline we can then start to consider some more of the outlying criteria. While this may or may not affect you today, the conventional wisdom is that sometime in the not too distant future a comprehensive Federal Data Breach disclosure law is going to be passed. Most likely it will be a roll-up of the different state disclosure laws.

Given this, it’s good to consider this a roadmap of the data that you need to preferentially protect, manage, secure and dispose of to protect your organization from breaking the law.

Account Information

In large part, mass data breaches are dangerous because consumers often reuse credentials between accounts. It’s not uncommon for someone to use the same email address and password between say their social network, their bank and their preferred shopping site.

This means that a breach in any one of those systems actually compromises them all.

With that in mind, I was pleasantly surprised to find that a handful of states require notification if any kind of username/password is leaked from a service (as it’s quite likely that those passwords would also unlock more sensitive financial or medical accounts)

These statutes are not widely known and potentially affect thousands of tiny one off SAAS services, forums, blogs, companies and other websites.

It’s a big change from the mindset of “We don’t have any valuable information, so it’s not a big deal if we’re hacked.”

Someone who runs a moderately popular WordPress blog with comments enabled is likely not thinking “I need to check Georgia Data Breach Notification laws” when their site gets hacked.

Biometric Information

Biometrics are increasingly popular as a means of adding additional factors to authentication or as a user friendly way of securing access. Given this, unsurprisingly, unauthorized access to biometric data is considered to be a leak of personally identifiable information.

Fingerprints, retina / iris scans or any other “unique physical representation” (so presumably facial recognition, palm scans, gait analysis, etc would all fall under this category).

The statutes themselves don’t get into the fine detail of what constitutes biometric storage. They don’t differentiate storing a high definition image of a thumbprint from a system that takes sample points from a thumbprint and stores a hash of the value. Unauthorized disclosure of either would be considered a data breach.

DNA

Currently, only Wisconsin considers a disclosure of your personal genetic makeup to be “Personally Identifying Information”.

Electronic Signature

Somewhat maddeningly, the definitions for what constitutes an electronic signature are quite vague. But it would fairly safe to assume that they include PKI keys as a signatory mechanism.

To me this is interesting as there are lots of cases where a web host might have thousands of vulnerable sites in standalone VPS silo’s. You could imagine some PHP bug that allowed for the contents of them to listed – which would then trigger the disclosure rules.

Medical Information

Generally defined as: “any electronic or physical information about treatment, diagnosis or history”, which extends far beyond a formal medical record as one might have in a hospital.

Consider something like a consent form for a trampoline park (not pregnant or has a history of heart issues) or a checkbox in a form that indicates that someone has a peanut allergy.

Date of Birth

Date of Birth is often used as a security question and inclusion of it as a PII indicator seems forward thinking.

Employer ID

An identification number assigned to the individual by the individual’s employer in combination with any required security code, access code, or password.

Mothers Maiden Name

Long used as the answer to security questions, disclosure could potentially be used for account recovery attacks.

Health Insurance Information

This is distinct from any actual medical information, but purely items of information like who is providing coverage and the identification number for the account.

Tax Information

I’m honestly a bit surprised that tax information isn’t more often considered to be a reportable data breach event as it’s so often used as a means of identification.

Conclusion

We hope this underscores the importance of classifying the data on your network to better prepare for a potential data breach.

[Podcast] Taking The Long View, Investing in Technology and Security

[Podcast] Taking The Long View, Investing in Technology and Security

Leave a review for our podcast & we'll put you in the running for a pack of cards.


We’re living in exciting times. Today, if you have an idea as well as a small budget, you can most likely create it. This is particularly true in the technology space, which is why we’ve seen the explosion of IoT devices on the marketplace.

However, what’s uncertain is the byproduct of our enthusiastic making, innovating, and disrupting.

Hypothetical questions that used to be debated on the big screen are questions we’re now debating on our podcast. Will we be able to maintain an appropriate level of privacy within our homes? What are some positive and negative applications of a new technology? Should we extinguish our identification cards so that we can authenticate with biometrics?

On this week’s Inside Out Security Show, Kilian Englert, Kris Keyser and Mike Buckbee weigh in on these pressing questions.

Other articles discussed:

Course of the week: GDPR Attack Plan: What You Need To Know

A Guide to per State Data Breach Response

A Guide to per State Data Breach Response

Part 1: Preparing for a US Data Breach

In the data management and IT space there have been significant consideration and hand wringing about how the European Union’s General Data Protection Regulation (GDPR) will eventually impact US based businesses or how a future US Federal data breach disclosure law might affect IT operations. What often is the missed in the discussion is that there are significant per state data disclosure notification regulations currently in effect in the USA..

What’s even worse, as laws vary so much state to state, you might not realize that they’re applicable to you until you’re already broken them.

What is a Data Breach?

Data integrity centers around control. Who can access a particular piece of data? Who has rights to modify a file? What accounts can write to a database?

If at any point, for any reason, an organization loses control of a piece of data it’s considered to be a data breach.

From a technical perspective there is a massive difference in the severity of the threat posed by something like the OPM Data breach – which exposed the background investigation files, fingerprints, medical history and Social Security Numbers of 4.2 million people and the forum software on a relatively small website being compromised.

While vastly different in scope and in the type of data that was exposed, it’s important to realize that the analysis, response and notifications that need to be taken are exactly the same.

We are right now living in a world where it’s very likely that what were previously routine attacks or incidents should be reported as a data breach.

Depending on what state you’re in and exactly what was exposed any of the following scenarios would trigger the need for you to execute on a data breach notification plan:

  1. A phishing attack that revealed employment data on a half dozen employees.
  2. A spreadsheet with a list of student emails and if they had peanut allergies
  3. A forum breach where emails and passwords were taken.
  4. A cloud based service that you use experiencing a security incident.

A ransomware attack that encrypts files containing PII data is considered a data breach in legal terms as while the data hasn’t left the confines of your network, it’s no longer in your control. For more information, read: Is a ransomware attack a data breach?

What to do to Prepare for a Data Breach Notification?

Understanding what data is in your possession, who it’s associated with and who is using it are all keys to making breach notification decisions.

Data Breach Preparation Checklist

  1. Properly associate your data with a user
  2. Maintain up to date contact information
  3. Keep up to date records of which US State a person resides in:
    • Self reported (shipping or billing address) and when it was last updated
    • IP Address
  4. Classify your data by type
    • First or Last Name
    • Social Security Number
    • State ID numbers (Driver License, Passport)
    • Any financial account information
    • Any biometric information (fingerprints, retina scans, etc.)
    • DNA (genetic) identifiers
    • Electronic Signatures
    • Employer ID numbers or access codes
    • Any Financial information (ex: retirement account numbers, investment information)
    • Health Insurance Info (a health insurance ID is sufficient)
    • Any medical information

A product like the Data Classification Framework can be very helpful in identifying PII within files on a network.

What to do when you Discover you have a Data Breach?

First you should take whatever steps are necessary to prevent further data loss (patch, modify permissions, other remediation).

Next:

  1. Formally note the date you first became aware of the data breach as the clock is ticking.
  2. Determine the number of people affected.
  3. Find out exactly what user identifying data attributes were disclosed.
  4. Investigate to find out exactly what types of application data were affected.
  5. If you prepared and have per state user information, determine what communication options.you have to contact each person (email, sms, mailing address)

How to Avoid Having to do Data Breach Notifications?

We’re going to presume that you’re already taking steps to secure your network and applications properly. You may or may not have taken additional steps to structure and monitor your data internally. Doing so both better protects data you’ve been entrusted with and limits the potential that you’ll need to be in a meeting with the CEO, Chief Legal Counsel and the Attorney General of your state.

Have a Data Retention and Purge Plan

Purge unused data (quantities of data matter as different rules are triggered at higher numbers of affected users). Products like Data Transport Engine and others allow you to do do things like remove data based on rules like “File hasn’t been accessed in 6 months”. Other applications like DatAdvantage let you conduct entitlement reviews continuously to limit who has access to what data.

Separate Authentication and Application Data

While this isn’t always possible, having separate higher security user authentication systems that contain users’ email, password (or other auth system) allows for another layer of security.

A great recent example of this is the Unity Forum data-breach. Unity is a framework for developing 3D content like games and virtual reality experiences. They have tens of thousands of developers who ask questions of each other and have discussions around such exciting topics as: “Dynamically Translating/Rotating a NavMeshSurface/NavMesh Agent”.

Users log into the forums via a central UnityID service that also controls access to their asset store, question and answer site, etc. So while their forums were defaced they were able to write:

“On April 30, our public forum website was attacked and successfully compromised due to poorly implemented password routines; our investigations show no theft of passwords in this attack, nor impact to any other Unity service.”

What’s unsaid is that they also sidestepped most data breach disclosure requirements as in most cases losing control of user passwords is a trigger. This separation helps keep a bad situation from turning into a legal quagmire.

Who Needs Notified when a Data Breach Occurs?

Affected users should be notified that a data breach has occurred. It’s important that they are informed of what has occurred and what steps they should take “without undue delay”.

Do I Need to Notify each State’s Attorney General?

Depending upon the per state breakdown of affected users, each state attorney generals’ office may need to be notified. For example, Hawaii requires that the attorney general be notified if over a 1000 state residents are included in breach, whereas North Data requires notification for more than 250 and New York State if any state residents are affected.

Do I need to Notify a Nationwide Consumer Credit Reporting Agency (Credit Bureau)?

Similar to the Attorney General notifications, per state requirements govern whether you will need to contact Consumer Credit Reporting Agencies (CCRA). Depending on the type of data that has been compromised you may need to coordinate requesting fraud alerts and freezing credit cards.

How Should People be Notified of a Data Breach?

For most small scale breaches (defined per state) notifications can be done via email, mail or telephone. It’s recommended to contact people in the most expeditious way possible, which for most organizations likely means you’ll be conducting notifications via email.

In cases where the the cost of notification exceeds a certain limit (most often $200,000), the number of people affected exceeds a threshold (most often 500,000) or in cases where you don’t have sufficient contact information to send individual notifications, mass notification procedures can be used instead.

Typically this comes down to placing a “prominent” notification on your public facing website for a period of time sufficient to inform affected users.

Alternatively, statewide media may be contacted and informed of the data breach. Typically this is considered to mean that you send your breach disclosure information to the newspapers and TV stations operating in the state. This quickly becomes something complex enough that you should not tackle on your own, instead use a Press Release service to distribute your notification. Such as:

How can I Figure Out What States My Users Reside In?

By far the easiest method is to ask them and then periodically reconfirm that their information is up to date. If you have ever registered a domain, you’ve likely received an email asking you confirm that your contact information is up to date. If circumstances allow you, you could build something similar into your own application or processes.

Unfortunately, that’s not always an option. A solid fallback is to record the most recently IP address of each user when they reconnect with your service. You may already be recording this for other reasons (rate limiting, load balancing, it’s a default feature of your authorization service, etc).

If needed you can then run the user recorded IP addresses through an IP to location service such as MaxMind, or FreeGeoIP which will return general location information including which US State the IP is located within.

It’s important to keep in mind that all of these services become increasingly inaccurate as the geographic specificity increases. In almost all cases they’ll identify what country a person is connecting from correctly, and in the vast majority of cases (barring VPN use or other network oddities) the state. If you’re relying upon IP state identification, it is probably a good idea to err on the side of caution and presume that you have mis-identified a few user locations if you’re on the cusp of a state notification limit.

What Should be in a Data Breach Notification?

California has the most detailed breach notification requirements in the United States, up to and including specifying the font-size that notifications should be displayed with.

Their requirements (and an excellent guideline for all communication)

  • Should be written in plain english
  • Title and Headings should be conspicuously displayed.
  • Should be titled: “Notice of Data Breach” with paragraphs covering:
    • What Happened
    • The Date of the Breach, Estimated Date or Date Range
    • What Information Was Involved
    • What We Are Doing
    • What You (the user) Can Do
    • For More Information
    • No smaller than 10pt type

In the case of California (and other states) there are further mandates based around the type of data exposed. For instance, if a social security number or a driver’s license or California identification card number is exposed then the toll free numbers and addresses of the major credit reporting agencies (listed above) need to be included in the communication.

We’ve included a copy of their form for your use below:

Download: California Model Data Breach Disclosure Form

Data Breach Notification Deadlines

It’s important to note that the timing requirements for disclosure are based around when your organization first learned of the data breach. The majority of states require that data breach notifications are sent: “Without undue delay”, most aggressively this is defined as within 30 days of discovery.

The distinction is important as there is often a significant lag between when a breach happens and when it’s discovered (many times by an outside party).

Given the tight timelines, it’s not practical to manually review all the different US State data breach notification laws.

Please read in Data Security

Is a ransomware attack a data breach?

Ransomware is a loss of control

Most IT people equate exfiltration of data from their network as the point at which control is lost and a data breach has occurred. They think of it like “where are the bits” and if your user database is being passed around the internet via bittorrent and sold off for a .0001 BTC an account you clearly have lost control.

What’s not so obvious is that ransomware (or any form of malware infection) represents a loss of control of the data within your network and that constitutes a data breach.

The proper way to consider it is if a malicious person wandered into your office, walked past the receptionist and security guard, got on the elevator down to the basement, unlocked the door to the server room, logged into your main file server with some stolen admin credentials, encrypted 10,000 random files that your users rely upon for their work and then walked out.

If someone were to perpetrate the above physical attack on your facility it would clearly represent a loss of data control. However, too many sysadmins wrongly consider a ransomware attack as purely internal and not a data breach.

A good conceptual way to think about it as a breach of your control systems, not a breach of the network itself.

Most of the per state data breach response guidelines clearly are modeled after HIPAA regulations which explicitly classify ransomware as a data breach:

The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Source: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

A ransomware attack is a data breach and organizations should treat it as such.