Tag Archives: data access governance

SharePoint Access a Key Factor in Bradley Manning Leaks

Posted on December 18, 2011 | Leave a comment

According to the Army’s digital forensic expert, accused WikiLeaker Bradley Manning obtained classified Guantanamo Bay detainee assessments from a SharePoint site, and subsequently leaked them to WikiLeaks. Wired magazine states that the forensic analyst discovered “scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmo documents. He ran the scripts to download the documents, then downloaded the ones that WikiLeaks had published and found they were the same” [1]

Unauthorized SharePoint access is a common security gap, in many organizations.  We’ve seen numerous customers struggling with this, unable to get their arms around who has access to which SharePoint site, and what types of data (classification, risk level, and content) are thus accessible.

While most organizations don’t need to worry about employee access to classified information, rogue access to confidential corporate information can nonetheless be damaging and expensive – as clearly demonstrated by the RSA and Sony incidents this year.

I’m sure there will be additional Information Security-related aspects of the ongoing Manning hearing, and we’ll continue to cover them here.

→ Leave a comment

Posted in Bradley Manning, Data Access Governance, SharePoint, WikiLeaks

Tagged , , ,

“Dark Reading” on SQL Injection Attacks

Posted on August 2, 2011 | Leave a comment

Interesting overview of SQL injection attacks, in the current issue of Dark Reading (http://www.darkreading.com/ – look for it in the Supplement portion of Current Issue [registration required] )

I found this to be an easy read, and a good (and modestly technical) overview of the kinds of weaknesses that often exist in websites that utilize SQL behind a form.   While most of the recommendations are tailored to the SQL developer (such as #1: Input Validation, or  #3: Parameterized Queries), the one that’s different, and should be embraced by a broader audience is #5: Least Privileged Principle : “Give users only the access and privileges that they absolutely need to perform their jobs”.

And in order to do so, you clearly need visibility of who has access to what, and control of the process for evaluating, granting, and revoking access. In short, you need access governance.

 

→ Leave a comment

Posted in Data Access Governance, Security Breaches

Tagged , ,

Introducing Data Access Governance

Posted on June 2, 2011 | Leave a comment

Today, Aveksa announced our newest module, extending Access Governance to unstructured data (read the press release here).  This new Data Access Governance module gives organizations the same level of access visibility and control over data resources that they currently have over applications and platforms.

We’re very pleased to be able to offer this to the market, especially given the many recent, well-publicized security breaches. These very clearly show the need for organizations to put in place well-structured and sustainable security programs, and visibility and control of access to sensitive data is absolutely a key part of this.   Ensuring that only authorized users have proper access to data can significantly reduce the likelihood that data will be lost – compare this to what is often the case, where any user can access data.

With the new module, customers can collect fine-grained entitlement information about SharePoint sites and Windows file shares (plus Windows servers and SQL Server databases as well).  These resources typically house a large portion of organizations’ data, especially the unstructured files that audit & compliance teams are justifiably concerned about.    Now, the InfoSec team can add these resources to their certification processes, include access to them in their Roles, and have users request access through a self-service Access Request portal.

Take a look, and tell us what you think!

→ Leave a comment

Posted in Access Governance, Data Access Governance

Tagged

NetworkWorld Highlights SharePoint Data as a Source of Risk

Posted on May 9, 2011 | Leave a comment

According to a recent survey summarized in Network World, 48% of respondents indicate that they share privileged company information via SharePoint, while 64% indicate that they do not maintain an audit log around their SharePoint installations. These numbers, while not terribly surprising, should at least raise some eyebrows, and prompt some analysis and thinking about the widespread use of SharePoint.

It comes down to some simple questions – do you know who has access to what data on your SharePoint sites? Is this something that’s going to be of interest to your auditors?  Would you better off with a clear view of this, so that the business-people (who publish the shared documents, and manage the users who access it) can make informed decisions about who has access to what?

→ Leave a comment

Posted in Access Governance, Data Access Governance

Tagged , ,

Access governance control failure leads to data loss & lawsuit

Posted on April 8, 2010 | Leave a comment

Interesting to see what may be the beginnings of a consumer legal groundswell around data breaches that lead to identity theft.  While many organizations haven’t felt the wrath of customers taking action against them for the loss of personally identifiable information, that may now be changing as evident by this recent Dark Reading coverage of the class action lawsuit of Countrywide Financial.  The importance of implementing good access governance controls should be of paramount importance, especially for business-to-consumer organizations.  This clearly demonstrates that organizations need to think about how they better manage the business risks associated with providing access to sensitive information resources as what’s at stake is more than just a loss of consumer data, customer trust and reputation - the legal risks and operational costs are going to be substantially higher moving forward.

http://www.darkreading.com/database_security/security/privacy/showArticle.jhtml?articleID=224201969&cid=nl_DR_DAILY_2010-04-08_h

→ Leave a comment

Posted in Access Governance, Data Access Governance

Tagged ,

Customers Sue Countrywide Financial Over Theft And Sale Of Personal Data

Posted on April 7, 2010 | Leave a comment

Class-action suit seeks $20 million as well as answers about company’s involvement

By Tim Wilson

DarkReading

Customers of Countrywide Financial have filed a class-action lawsuit over the 2008 data breach that enabled company insiders to steal and sell their personal information.

According to a Courthouse News Service report, the class-action lawsuit on behalf of 16 plaintiffs seeks $20 million in damages, plus punitive damages.

The data theft, originally attributed to a single employee working over a two-year-period, exposed tens of thousands of customer records.

The lawsuit alleges that Countrywide Financial employees stole and sold “tens of thousands, or millions” of customers’ personal financial information, according to the news report.

The suit claims the defendants do not dispute that customers’ private financial information was disseminated. It seeks to find out “whether the dissemination was intended as a plan or scheme, or was intentional; [and] whether any of the defendants was simply aiding and abetting, rather than an architect of the plan to disseminate the personal information.”

The lawsuit also claims that the defendants were slow to admit the massive breaches of confidentiality, and offered little help when they finally did admit it. The defendants delayed disclosing the breaches to “gain time and money to extricate defendants from the financial stress [they] had created,” the claim states.

The plaintiffs say their identities have been stolen or compromised, their credit histories have been “shattered,” and they’ve been unable to obtain loans, lines of credit, or real estate financing. “Countrywide delayed several months before informing their customers,” the complaint states. “Finally, Countrywide informed only certain of their customers by letter and offered in settlement to refer the customers/borrowers to counseling, when it was Countrywide that needed to review and repair its internal procedures.”

→ Leave a comment

Posted in Access Governance, Security Breaches

Tagged ,