Researchers recently uncovered a vulnerability in Exchange that allows any domain user to obtain Domain admin privileges that allow them to compromise AD and connected hosts.

Here’s how the attack works:

• Attacker uses a compromised mail-enabled domain user to subscribe to the exchange push notification feature
• Attacker uses an NTLM relay to impersonate the exchange server:
• The Exchange server authenticates to the compromised user’s host using NTLM over HTTP, which the attacker users to authenticate to the domain controller via LDAP with the exchange account’s credentials
• Attacker then uses the exchange account’s permissions to change permissions on the domain object*

The attacker can then run a DCSync to get hashed passwords of all domain users – which enables them to execute different types of attacks – from golden ticket attacks to pass the hash.

Our research team has investigated and built a guide for our customers to detect this type of attack – and to see if they’ve been compromised already.

Here’s what you need to know.

*This last step could also be by a rogue admin, who has legitimate access to make that permission change: by creating a rule to detect on that activity, you’ll be covered either way.

How to Detect Domain Privilege Escalation

In DatAlert, create a custom rule to monitor specific permission changes on an object – this will trigger when a Directory Services object permission is added on the domain object.

1. Set the rule name
2. Set the alert category to “privilege escalation”
3. Set resource type to “all values selected”
4. Define the affected Object:
5. File Server = DirectoryServices
6. Choose the Domain object
7. Create filter for DS object permission added

Running the Report: How to Detect Permission Change on the Domain Object

Permission changes on the domain object shouldn’t be common; anything that triggers this alert should be investigated.  Keep in mind, this is only a checkbox away from alerting on any DS permissions change (don’t forget to leave the “search in child objects unchecked!) – so generate a report to validate the alert before you deploy.

You’ll be able to see in this report if you’ve already been compromised by this attack as well.

Once the rule is deployed, you can investigate this type of privilege escalation through the web UI:

Once that rule is set up, you’ll be able to monitor and protect against these types of security vulnerabilities, investigate Directory Services object events, and verify whether or not you’ve been affected by this vulnerability.

Check out the Microsoft security update as well – and reach out to your SE if you have any questions.

Version 7.0 of the Varonis Data Security Platform is here – featuring new cloud support and advanced threat detection and response capabilities: new event sources and enrichment; out-of-the-box threat intelligence applied to Varonis security insights; and playbooks that arm customers with incident response plans right in the web UI so customers can easily follow best-practice responses to security incidents. 

New Dashboards Highlight Cloud, Active Directory and GDPR Risks

Active Directory risk dashboards, GDPR dashboards, and Office 365 dashboards offer at-a-glance visibility into critical exposures and concerns on key data stores and Active Directory. Widgets within each dashboard provide drill-down context and explanations of security risks and vulnerabilities: from vulnerable user accounts to at-risk cloud data to potential compliance violations.

Support for Box Security Events

The Varonis Data Security Platform was created to protect enterprise data wherever it’s stored, and that now includes data stored in Box. Customers can filter, search, and sort by event type including impersonation events, sharing events, and more; highlight risky behavior like over-permissive sharing and impersonation; and see where to remediate security vulnerabilities.  

Additional Office 365 and Active Directory Events Add Intelligence and Context for Alerting and Investigations

New event and entity information enhance Exchange Online, Azure AD and Active Directory monitoring. Attackers commonly exploit weaknesses or misconfigurations in Azure and on-premises Active Directory to escalate privileges and access data, including email stored in Exchange Online; additional telemetry from their directory services will help customers reduce the time it takes to detect and respond to threats on premises and in the cloud.  

Threat Intelligence Details Provide Deeper Insights

Monitor and track malicious (or suspicious) connections with out-of-the-box threat intelligence.  Varonis security insights and events are now enriched with information about risky external connections. Customers can now get external IP and URL enrichment in context with suspicious behavior and unusual activity for deeper insight on potential security incidents. 

Incident Response Playbooks Map Out Next Steps

Incident response plans from our cybersecurity research lab are now built into the Varonis UI as playbooks: our security experts mapped out best practices for responding to different types of cyberattacks – covering everything from incident notification to containment to recovery, along with actionable steps to eradicate threats and improve security postures for future attacks. 

Increased Speed and Scalability with Solr

Version 7 optimizes the use of Solr for dramatically faster and more intuitive investigations. Solr enables rapid data aggregation, visualization, and horizontal scalability on commodity hardware, even with billions of events. By innovating on top of Solr, Varonis customers can provision relatively little hardware and receive significant performance improvements. Customers will benefit from faster search auto-completion, improved search response and immediate access to search results, even during their compilation.  

…and More

Additional features from version 7.0 include more out-of-the-box reports (including reports on overexposed regulated and GDPR data); new threat models to detect additional types of cyberattacks; faster updates to the web UI; saved searches for more collaborative investigations, and more. 

Join us live on Thursday, January 24th at 2:00 PM ET to see version 7.0 in action – or get an exclusive 1:1 demo this week to see how Varonis can transform your data security. 

 

We take well over a trillion photographs a year, upload hundreds of hours of video a minute, and commit search queries tens of thousands of times per second. The sheer amount of data that companies save is staggering and growing exponentially year-over-year.

Social media giants, web infrastructure providers and other large companies around the world manage data at dizzying scales. Not only do these corporations handle a lot of data — they handle important and sensitive data as well. Huge reputational and financial stakes ride on businesses being able to protect their internal servers. Even smaller organizations possess sensitive data. With so much of this valuable information scattered across on-premises & cloud data centers, it’s more important than ever to know how to keep information where it belongs, and out of the hands of those who’d use it for harm.

In order to understand how to properly manage all our data, though, we’ll need some sense of how much there is to manage in the first place. But how do we begin to conceptualize the sheer scale of all this information? You may have heard of an “exabyte,” but does it mean anything to you? Trying to picture a billion gigabytes is like trying to picture all the people living in New York City right now: your brain is simply not built to process such quantities.

To help you get some sense for how much data exists in the world today, we’ve come up with some analogies and visual aides. Check them all out below.

The images above should give you at least some broad sense of how much digital information companies manage.

It’s important to remember, though, in the midst of all these remarkable statistics, that having a lot of data means we have a lot of data to protect. Perhaps we should be asking ourselves: how can businesses properly defend this universe of information at our fingertips?

It’s more important than ever for companies to keep a tight hold over their proprietary information, and their customers’ sensitive information. It should be the foremost concern for those who act as gatekeepers to humanity’s secrets to invest in data security, seek the advice of experts in the field, and maintain up-to-date, comprehensive security protocols.

If we don’t implement the proper precautions now, we can have exabytes-worth of problems on our hands.

Sources:

The Guardian | MerchDope | Ardor SEO | Cisco | Architecture of France | The Atlantic | UCSB | Lifewire

Data privacy laws are fast becoming a primary element in any data security conversation: from the EU’s GDPR to the California Consumer Privacy Act to Japan’s Act on the Protection of Personal Information, the ability to protect consumer data is top of mind. For companies that are built around consumer data, consumer trust becomes a vital part of their business model.

On May 25, 2018, the EU General Data Protection Regulation (GDPR) went into effect. And in the wake of the EU’s GDPR came another shift in data privacy — the California Consumer Privacy Act (CCPA). On June 28, 2018, Governor Jerry Brown signed the CCPA, which will enact some of the country’s most powerful consumer data privacy protections into law.

With the devastating series of data breach incidents in the past couple of years, many questions and concerns have arisen about the way consumer data is being handled. 2017 was the year of the data breach with the magnitude of high-profile incidents at companies such as Equifax and Yahoo. Attacks like these make data breaches seem part of normal life— not just in the United States, but around the world.

While the GDPR was created to protect citizens of the EU, its impact spans much farther. The CCPA is an outcome of the GDPR’s reaching influence, shifting government priorities and making them more willing to protect individual privacy. Although the CCPA does not go into effect until January 1, 2020, it’s important to be aware of the policies and processes necessary for compliance, and to analyze the current and future impact it will have in comparison to GDPR.

CCPA Overview

Businesses have a track record of using personal information to benefit their own agenda: the California Consumer Privacy Act (CCPA) will serve to protect California consumer rights and encourage stronger privacy and greater transparency overall. It will give consumers ownership, control, and security over their personal information – and consumers will have the ability to request that any business disclose (and delete) the personal information that it collects, and request that their data not be sold to third parties.

These data protections give Californians the right to:

• Know what personal information is being collected
• Access the personal information that is collected, and request it be deleted
• Know whether their personal information is being shared, and if so, with whom
• Opt-out of the sale of their personal information
• Have equal service and price, whether or not they choose to exercise their privacy rights

Businesses will also be prohibited from selling the personal information of consumers ages 13–16 (unless the consumer opts-in). For consumers under the age of 13, consent from a parent or guardian will be required. These new protections not only affect California consumers, but also California businesses.

Who Does the CCPA Apply to?

The California Consumer Privacy Act defines a business as a for-profit entity that collects consumer personal data. So, if you’re a business in the state of California that meets at least one of the following thresholds, you may be subject to compliance:

• Businesses that earn $25,000,000 or more a year in revenue
• Businesses that annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes
• Business that derive 50% or more of its annual revenue from selling consumer personal information

Under the CCPA, California citizens will have the ability to bring a civil action lawsuit against companies that do not abide by the law. The state can also bring these charges to a company directly — charging a $7,500 fine for any violation that is not addressed within 30 days.

Why does California’s new law matter for everyone else? It’s part of a global trend pushing companies toward greater accountability with regard to protecting consumer data. Additionally, it has given other countries and states a push towards the importance of taking personal data and consumer rights to data privacy more seriously. Chief proponent of the CCPA Alastair Mactaggart stated that, “While this law just covers California currently, large companies will soon have to offer similar rights to Americans.”

CCPA vs. GDPR

The European General Data Protection Regulation is an evolution of the EU’s existing data rules, the Data Protection Directive (DPD). It addresses many of the shortcomings in the DPD, including adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach, and strengthening rules for data minimization. People who are familiar with the GDPR will notice some strong similarities to the CCPA.

The CCPA is said to be a model of the GDPR. And, with the recent passage of the CCPA, many people have been wondering how it compares to the GDPR — with some even calling it the American version of the regulation. No matter how influenced the CCPA may have been by the GDPR, there are some clear differences worth noting in each legislation.

Both the CCPA and the GDPR give individuals certain rights to how their personal information is collected and used, however, there are several important contrasts to be aware of. Because California has a much larger economy than the UK, the implications of penalties may be even more severe than that of the GDPR. Even though the CCPA does not go into effect until 2020, we’re already seeing it influence federal legislation.

Check out our interactive Venn diagram below to better understand the similarities and differences between the GDPR and CCPA.

X

CCPA

Effective date

January 1, 2020

X

CCPA

Who it protects

“Consumers” who are California residents.

X

CCPA

Personal information

Defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly, with a particular consumer or household.” This includes not only identifiers like name or address, but extends to browsing history, behavioral data, and more.

X

CCPA

Rights granted

Grants consumers five rights:

1. The right to disclosure.
2. The right to deletion.
3. The right to access.
4. The right to opt-out.
5. The right to non-discrimination.

X

CCPA

Right to deletion

CCPA right to deletion applies to data collected from and about the consumer.

X

CCPA

Who must comply

“California businesses” of substantial size (with regard to revenue or number of consumers affected) that collect consumer personal data.

X

CCPA

Basis for consent

Allows sites to collect and sell your data if you sign up or make an online purchase and only offers consumers the right to opt-out.

X

CCPA

Time allowed to respond
to a request

Responsible parties have 30 days to respond to a request.

X

CCPA

Financial penalties

Organizations in breach can be fined up to $2,500 per violation for negligent violations and up to $7,500 per violation for intentional violations.

X

CCPA

GDPR

Similarities

• Encourage transparency in businesses/related entities.
• Require businesses/related entities to report data breaches to consumers/individuals.
• Look to better secure and protect the personal information of an individual.
• Define data processing as “any operations performed on personal data, automated or otherwise.”

X

GDPR

Effective date

May 25, 2018

X

GDPR

Who it protects

“Data subjects” in the European Union.

X

GDPR

Personal information

Defined as any information relating to an identified or identifiable natural person, directly or indirectly. This usually means data like address, license plate numbers, SSN, blood type, bank account information, and more.

X

GDPR

Rights granted

Grants data subjects eight rights:

1. The right to be informed.
2. The right of access.
3. The right to rectification.
4. The right to erasure.
5. The right to restrict processing.
6. The right to data portability.
7. The right to object.
8. Rights in relation to automated individual decision making, including profiling.

X

GDPR

Right to deletion

GDPR right to deletion applies to all data collected about the consumer.

X

GDPR

Who must comply

Any “data controllers” (who determine the purpose and means of processing the data) and “data processors” (who process this data for the controller) that holds personal data of EU citizens.

X

GDPR

Basis for consent

Requires consumers to opt-in to data collection by instructing sites to get consent before collecting data.

X

GDPR

Time allowed to respond
to a request

Responsible parties have 40 days to respond to a request.

X

GDPR

Financial penalties

Organizations in breach can be fined up to 4% of annual global turnover or EUR 20 million.

The Big Picture

Governments are beginning to take data privacy very seriously. Like the GDPR, the CCPA iwill have far-reaching impacts across state jurisdictions. And, although the CCPA does not go into effect for another 15 months, we’ve learned from the GDPR that a year and a half isn’t a lot of time to become compliant.

It’s important to start preparing now: being prepared will save your company a lot of headaches (and costly enforcement actions) in the future. Meeting subject access requests – whether for GDPR, CCPA, or another regulation – can be especially difficult to achieve: you need to be able to identify content related to a data subject, classify and protect consumer data, and sometimes even delete upon request.

Don’t expect this to be the last privacy act, either — there are many more on the horizon. Companies should be prepared to meet more stringent data privacy regulations that focus on data discovery, security, and classification.

“Those who cannot remember the past are condemned to repeat it.” – George Santayana

The first computer virus was created in the early 1970s and was detected on ARPANET, the predecessor to the internet. In 1988 the first computer worm was distributed, gaining mass mainstream media attention. A quarter of a century later and viruses have evolved to become a pandemic. Viruses have proliferated quickly and malware has become more complex.

Cyber attacks happen daily and are constantly evolving. From computer worms to large data breaches, attacks come in all shapes and sizes. In the past quarter century alone, cyber attacks have evolved from tiny hacks created by high-school students to state-sponsored attacks compromising presidential elections.

While threats continue to develop, so does the defense against them. It’s important to remember these past events in order to combat impending attacks. Milestone incidents are what made cybersecurity what it is today – take a look at the top 8 events that changed cybersecurity, and why they (still) matter.

Though new cyber attacks appear each day, these top 8 watershed moments had a major impact on security and have led to where we are today. Here are just a few lessons we can learn from cybersecurity history.

1. Never assume it won’t happen to you: Anyone and everyone is susceptible when it comes to data – whether it’s stored in the cloud or on premises.
2. Hackers come from all over: Attacks no longer comes exclusively from hackers in their parents’ basements. They have evolved geographically, advanced in sophistication, and the amount of attacks from overseas has increased drastically.
3. Insiders are just as dangerous: Vulnerabilities now come from the inside as well. All it takes is one click on a phishing email. Educate your employees on basic cybersecurity terms so that they are able to protect themselves and the company.
4. Hackers are not going away: With change in technology comes change in crime — and cybercriminals are working harder than ever. It’s important to always be alert and keep up with important trends in order to keep you and your organization as safe as possible.

Unfortunately, the number of cyber attacks is only going to continue increase, and the impact of those attacks is becoming more significant than ever. It’s important to arm ourselves with what we can: learn from the past and protect your data first, not last.

Uncover your biggest security risks with a data risk assessment – and see how Varonis helps protect your data from the next generation of cyber attacks.

Infographic Sources:
Infosecurity, CSO, Verizon Data Breach Report, Wikipedia, TheGuardian