Posted on Wed, Aug 18, 2010 @ 09:45 AM
Another insider data breach story that dovetails our blog post from yesterday. It's amazing to see that organizations (including government entities) have very little in the way of access governance controls in place.
NetworkWorld article on Canada Revenue Agency Data Breach
Our friend Dave Kearns from Network World summed it up well in his article covering this news. "This incident could be the poster child for why you need governance, oversight and access control policies -- and enforcement. In this day an age it's not hard to implement, and in many places it's required by government fiat. Of course, most government's always exempt themselves from the fiats they enact."
"Best to review your governance, oversight and access control policies now -- before your organization features prominently (and ashamedly) in a newspaper headline!"
We encourage organizations not to wait until a control failure or regulatory audit finding happens in order to realized the importance of having proper governance over user access to critical information resources. Put an initiative in place now and avoid this known and pervasive risk. If you need assistance on building a business case for implementing an access governance solution, Aveksa has built a model that you can use and we'd be happy to step you through it.
Posted on Tue, Aug 17, 2010 @ 11:39 AM
It's no surprise to anyone at Aveksa that insider access threat is a growing problem, as identified by Verizon's 2010 Data Breach Investigations Report.
"For security firms that argue malicious insiders are a greater threat than outside attackers, the latest Verizon Data Breach Investigations Report seems like vindication: The proportion of incidents with an insider agent doubled to 48 percent."
"Identity and access management are essential controls that companies need to block -- or at least, slow down -- attackers."
Verizon 2010 Data Breach Investigations Report
While many organizations focused their security efforts on hardening the perimeter and putting in a layered security approach for external attacks, little has been done to have this same level of protection against insider threats (with the exception of where regulatory requirements define the risks and specify the controls).
Companies must certainly put controls in place to detect breaches. However, progressive organizations are focusing their efforts on implementing an access control framework that includes both detective as well as preventative controls.
Risk management best practice requires an organization to minimize a high level of inherent risk (such as with users that have the highest level of privileges within an information resource). But it's not just users with root and system administration level privileges that can be a threat to an organization. It could be a user that has access to sensitive information. Do they really need this access in order to do their current job? Does having these entitlements create a toxic combination of access that violates a regulatory mandate or introduces a potential business risk? These are the questions that organizations need to be able to answer in order to provide the assurance that insider access risks are being properly managed.
The reality is that organizations aren't doing a good job governing user access at any level. Why? Because the amount of change to user access is constantly happening. A 2010 Ponemon Institute study commissioned by Aveksa on Access Governance Trends found that on a monthly basis 10% of all users in an organization will require some change to their access.
Ponemon 2010 Access Governance Trends Survey
Implementing an access change management control framework that detects access change events, pre-determines what access is appropriate for a user to have given their functional role in the organization, and knows what they no longer need for access will enable the management of the complete life-cycle of a user's access while providing a set of dynamic controls that will minimize access related risks.
Posted on Tue, Jul 13, 2010 @ 11:56 AM
Spotted this news article regarding an IT administrator that just got a year jail sentence for stealing and damaging data from his former employer.
http://www.darkreading.com/database_security/security/management/showArticle.jhtml?articleID=225800012&cid=nl_DR_DAILY_2010-07-13_h
This doesn't make a lot of sense to us. If all the credentials were revoked then how did he get in? Was there a backdoor that this IT administrator created on a network firewall or database server? On the other hand, could it have been an access governance control failure due to a lack of process automation for an access revocation request and no closed-loop change validation to ensure all that accounts and entitlement privileges were in fact removed?
Termination of access rights can be a challenge for most organizations when they lack the visibility into a user's access across all information resources and an access change control framework that can respond to events that regularly occur in the enterprise - such as when users join, transfer or are terminated from an organization Aveksa has seen 40% error rate in the timely fulfillment of revocation requests. Why? Too many organizations rely on their IT help desk systems to initiate and track access revocation requests. However, these systems lack the policy controls and request validation capabilities to provide an organization with the business assurance that the access was revoked and the risk of unauthorized access to networks, applications, data and cloud-based information has been mitigated. It's even more important to have an access change control framework in place when it involves a privileged user because the risk of a data loss occurring increases exponentially!
Posted on Wed, Apr 14, 2010 @ 11:40 AM
Aveksa sponsored a research survey conducted by Ponemon Institute on the state of Access Governance. This is the second survey that we've worked on with Ponemon Institute and this one has some interesting trend analysis on how well organizations are achieving their objectives for properly governing user access over the survey findings in 2008.
We like to invite you to join Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, and Deepak Taneja, President and Founder of Aveksa, as they review all the survey findings and discuss a set of recommendations for improving how access is managed. Attendees of the 2010 Access Governance Trends Survey web seminar will also get a link to download a free copy of the complete report findings.
Date: Thursday, April 22, 2010
Time: 1:00pm ET/12:00pm CT/10:00am PT
Duration: 60 minutes
Register to attend this webinar
This study surveyed several hundred experienced IT practitioners from both multinational corporations and government organizations. The overall objective of this study was to understand how well IT practitioners are achieving governing user access to information resources within their organizations.
Posted on Thu, Apr 08, 2010 @ 09:26 AM
Interesting to see what may be the beginnings of a consumer legal groundswell around data breaches that lead to identity theft. While many organizations haven't felt the wrath of customers taking action against them for the loss of personally identifiable information, that may now be changing as evident by this recent Dark Reading coverage of the class action lawsuit of Countrywide Financial. The importance of implementing good access governance controls should be of paramount importance, especially for business-to-consumer organizations. This clearly demonstrates that organizations need to think about how they better manage the business risks associated with providing access to sensitive information resources as what's at stake is more than just a loss of consumer data, customer trust and reputation - the legal risks and operational costs are going to be substantially higher moving forward.
http://www.darkreading.com/database_security/security/privacy/showArticle.jhtml?articleID=224201969&cid=nl_DR_DAILY_2010-04-08_h
Customers Sue Countrywide Financial Over Theft And Sale Of Personal Data
Class-action suit seeks $20 million as well as answers about company's involvement
Apr 07, 2010 | 03:56 PM
By Tim Wilson
DarkReading
Customers of Countrywide Financial have filed a class-action lawsuit over the 2008 data breach that enabled company insiders to steal and sell their personal information.
According to a Courthouse News Service report, the class-action lawsuit on behalf of 16 plaintiffs seeks $20 million in damages, plus punitive damages.
The data theft, originally attributed to a single employee working over a two-year-period, exposed tens of thousands of customer records.
The lawsuit alleges that Countrywide Financial employees stole and sold "tens of thousands, or millions" of customers' personal financial information, according to the news report.
The suit claims the defendants do not dispute that customers' private financial information was disseminated. It seeks to find out "whether the dissemination was intended as a plan or scheme, or was intentional; [and] whether any of the defendants was simply aiding and abetting, rather than an architect of the plan to disseminate the personal information."
The lawsuit also claims that the defendants were slow to admit the massive breaches of confidentiality, and offered little help when they finally did admit it. The defendants delayed disclosing the breaches to "gain time and money to extricate defendants from the financial stress [they] had created," the claim states.
The plaintiffs say their identities have been stolen or compromised, their credit histories have been "shattered," and they've been unable to obtain loans, lines of credit, or real estate financing. "Countrywide delayed several months before informing their customers," the complaint states. "Finally, Countrywide informed only certain of their customers by letter and offered in settlement to refer the customers/borrowers to counseling, when it was Countrywide that needed to review and repair its internal procedures."
Posted on Mon, Feb 01, 2010 @ 02:54 PM
We have seen countless articles on organizations that fail to remove access when it is no longer required for a person's functional role or when a person ends their relationship with the organization. An interesting article in the December 2009 issue of HR Magazine highlights the importance of access rights revocation from a legal perspective.
###
Be careful what computer use you authorize
The 9th U.S. Circuit Court of Appeals affirmed summary judgment against a substance abuse treatment center's claim under the Computer Fraud and Abuse Act (CFAA) that a former employee committed violations when he downloaded confidential company information for use in his personal consulting business while employed and continued to access the company's system after leaving its employ.
The court held that the employer authorized the employee to access the computer system as part of his job; that in exceeding employer-imposed limitations on access, the employee did not exceed authorized access under the law; and that undisputed evidence did not show either that the company deactivated the former employee's password or that he accessed the company's site after his employment ended.
###
What's interesting about this case is that the court found against the plaintiff (the company) because they did not deactivate the former employee's access credentials to a critical information resource. It's clear from this judgment that organizations have an obligation to proactively protect their information resources, and when failing to put the proper access controls in place the organization may be forgoing its ability to seek legal recourse.
If this organization had dynamic access governance in place, it would have been able to see that there was an orphaned account to a core information resource that couldn't be mapped to an active user in the company's HR system and revoke the account.