February 16, 2016
So I watched Neil Blomkamp’s CHAPPiE on a plane last week and one thought is stuck in my mind: The entire story would not have happened if nice folks at the company producing police robots had simply followed few really trivial security practices…
(I’ll try to avoid any spoilers in this post. CHAPPiE definitely reminds of good old RoboCop: post-industrial setting, street gangs, good robots, bad robots, and a lot of shooting… On top of all that, the movie raises questions about soul, humaneness, family values – in the coming age of AI. It’s not a bad movie and definitely helped me to bide my time on a long flight.)
So, here’s my list of poor security practices at Tetravaal (a fictitious company that develops, produces, and controls heavily armed robots) that got the city of Johannesburg into all the mess:
- Role separation does not exist or isn’t enforced. Lead research engineers that work on new robot models also operate, troubleshoot, and update robots that are already in the field. Even worse: engineers from a competing project also have full access to all projects within the company. Actually, this one alone was enough to set the plot in motion- but there’s more!
- Network segmentation and isolation, anyone? Same access keys and permissions let you into test environment, robot-controlling network in the field, and even the manufacturing lines! All of these are accessed and controlled from the same computer – actually, any computer, as soon as you insert a special highly secure USB stick.
- One-and-a-half-factor authentication. Now, that thumb drive is the core of their security. Only one copy exists and it is required to make any major changes. They just share it. The USB stick is stored behind a locked door that requires physical key and a code to get thru. Once you have it, you can log in and do whatever you want with your password and this shared thumb drive.
- No change control process. Seriously. The guy just walks up to the CEO’s office and asks “can I borrow the key to make changes?”. Once she verbally approves, he just walks to grab the thumb drive and gains full access to all these deadly weapons carrying robots in the streets. Actually, they did not even ask most of the time.
- Lack of audit process and policy enforcement. I have to admit it, they have some audit. Two days (!) after the good engineer guy took that super-critical USB stick (without any authorization), someone from security called him on the phone. But these naive security people just asked the engineer to return the thumb drive by “end of day tomorrow”, otherwise they would “have to inform” the CEO…
Obviously, I understand this is fiction. Lack of security processes and awareness may be okay in the movie if it’s needed to justify the rest of the story. But think about it: the very same mistakes lead to the huge data breaches we’ve been hearing on the news all over recent couple years. Target, Sony, Anthem, you name it. Luckily, life is not a movie where these mistakes led to much destruction and violence in the city streets – it’s mostly financial and reputation losses in real life. Still, maybe we should pay a bit more attention to this security thing after all?
June 19, 2015
Comparison of cyber security world to the Wild West sounds a bit too obvious. But I can’t help thinking of it, sorry.
The analogy came to mind as I was catching up on the recent news: data breach at the US Office of Personnel Management and Duqu 2.0 malware in Kaspersky’s network. Over 4M records stolen from the government of one of the most technologically advanced countries. Malware has been stealing data from one of the top cyber security firms for months. Wow. Do you still think any rules exist, or anybody’s data is safe?
Now, these news may not really change the game, but there are few things they help to highlight:
Malware and spyware evolve really fast. What we call malware is not coming from cyber-criminals only. There are serious government funds. There are bright minds working on destructive tools with good intentions, such as keeping their nation safe and secure. That is, the malware evolves at a faster pace. Kaspersky Lab engineers describe Duqu 2.0 as being “generation ahead” of anything they’ve seen to date.
I am neither a government nor a cyber-security giant. Am I safe? – NO, sorry. It’s just a question of time before the cyber-crooks get access to more advanced tools. They are well motivated to understand and use whatever helps bypass traditional security measures. They are probing all doors, enterprise, non-profit and small business alike. The goals may differ, but ultimately anyone can become a target: harvesting personal data to sell; going after specific trade secrets; building botnets; trying to gain access to your bank account. If you really want to know their motivation, Spam Nation by Brian Krebs is a pretty good window into that side of the world.
Can I prevent them from getting into my network? – Again, the answer is NO. Assume you’ve been breached already. What you can do though is maximize the costs for the adversary and minimize the damage for your business. (It’s that easy, eh?) There’s nothing new and this is all common sense. Evaluate the business risks and adjust your IT processes and policies to them. Put most of your efforts on what presents the highest risk for the business. Isolate and protect what’s most valuable. Consider tools that allow you to detect an intrusion as early as possible. Consider processes and tools that give you continuous feedback on how security controls and policies work. Patch your systems regularly. Trivial. Details and costs vary greatly, but overall approach is similar regardless of what environment we are looking at.
Stay safe and have a good weekend.
December 12, 2014
It’s curious how sometimes things you’ve just talked about start showing up on the news. Few weeks ago we had a discussion about trends in the IT security space with my colleagues here at Netwrix. We talked about number of things, how user habits and new technologies will require the IT security industry to come up with new and creative solutions in previously untouched spaces. Following that discussion Michael summarized and posted security predictions for 2015 on Netwrix blog.
As Niels Bohr said, “Prediction is very difficult, especially if it’s about the future.” Many of Michael’s predictions are about the trends we already see now, extending into the next year. Still if was exciting to see his blog post co-inside with some of the industry news that perfectly illustrate some of the points. Below are just two examples, and I am pretty sure we can expect more to come!
Here’s what Michael writes about cloud adoption:
The security of cloud technologies will continue to develop, focusing on the following three tendencies: improved data encryption; the ability to access audit trails for configuration management and the secure accessing of data; and the development of security brokers for cloud access, allowing for user access control as a security enforcement point between a user and a cloud service provider.
Well, what we see in the news seems to highlight exactly that. Amazon announced their new AWS key management service and enhanced visibility into configuration changes with AWS Config service at the re:Invent conference in November; then Dropbox launched new Dropbox for Business API last week; and couple days ago Box CEO Aaron Levie announced the new Box Trust security partnership to build up enterprise customers’s confidence in cloud solutions.
Another quote from Netwrix blog is about Internet of Things (IoT):
The IoT is likely to play a more significant role in business innovation in 2015 and beyond. The devices and systems that connect to it, meanwhile, require proper management, as well as security policies and provisions. The security ecosystem that has not yet formed around many of these devices will continue to develop.
Once again, the news that came out earlier this week is the perfect illustration of this growing trend: Belden to acquire Tripwire press release. Frankly, I did even hear about Belden before, but they are well-established in networking and operational technology. If you look at Belden’s investor summary presentation, the primary goal is to set the foot in the industrial side of the rising IoT space.
Interesting times. The IT security industry is evolving rapidly, and the future literally is now. Once again, you can read Netwrix predictions for IT security in 2015 here.
September 19, 2014
It’s been very long time since I last posted anything on this blog. About a year ago I moved from Dell Software’s SharePoint solutions group to take over product management in a company called Netwrix. Here at Netwrix I spend less time with SharePoint, as we do change and access auditing for a number of different IT systems and applications, primarily within Microsoft ecosystem.
To be honest, it was unclear to me what to do with the blog. I am still quite interested in SharePoint governance and management topics, but it is no longer the main focus of my day to day work. So I finally decided to resume blogging, and here’re the first couple changes here.
I am going to use the WordPress.com alias as the main blog URL again. The old alias (http://blog.sharepoint-recovery.com) will redirect here, but is no longer describing the main point.
I also renamed the blog to be more consistent with its new (expected) contents :) Even the ancient Greeks knew that the only constant is change (thanks to Heraclitus of Ephesus for making this observation!) – and my interest now is how to give IT and executives visibility into these changes, and give enough info to understand them in context of overall systems security and compliance.
You can expect to see more random thoughts and observations on information governance, risk management, IT security, etc. In the meantime, I still have the warm feelings for SharePoint and the community around it, so you may see occasional notes specific to SharePoint as well. (And while we are at it – I am speaking at SharePoint Conference Ukraine next week, excited to be back in beautiful Kiev!)
May 30, 2013
Last week I was speaking at SharePoint Conference Ukraine in Kiev. The conference content owners had picked SharePoint governance from my suggested list of topics, and I tried to put together several examples to highlight what governance is and what it is not.
What struck me as I was preparing was the idea that the term itself (“SharePoint governance”) is somewhat unique across all Microsoft applications. Have you ever heard about Exchange Server governance? Or Dynamics CRM governance? Even with SharePoint, the term appeared in late 2007 – early 2008 and was quickly picked up by the community. Thanks to internet search technologies, we can see the relative frequency of use for terms “SharePoint governance” and “Exchange governance” in the IT related sources over time:
You cannot really see ANY mention of Exchange governance – why is this so? Do users share less sensitive content over email? Are there fewer business risks associated with email compared to SharePoint? Less need in protecting personal information, controlling exponential growth, complying with content retention requirements?
Obviously, no. Companies have to govern all of the IT infrastructure to adequately address the business needs and maintain controllable and predictable costs. For whatever reason the term resonated so well only with the SharePoint community.
Does this mean SharePoint governance is only a buzz word that various Microsoft partners are glad to use to sell their services and tools? What do you think?
P.S. In my conference talk I tried to give examples why it might be a good idea to start thinking about SharePoint governance. Here’re the slides (in Russian).
Someone added an interesting comment to the announcement of my “Backup and recovery planning 101” session at SharePoint Conference Ukraine. The guy said they had a problem recently when a SharePoint restore did not work. So the comment was “backups don’t save you from trouble“, and I think it’s worth looking into in more detail. Here’s the situation as it was described:
- Several designers are working on a custom application in production SharePoint
- One of them leaves the desk with a bunch of unsaved changes on screen
- At the same time, another member of the team makes edits and removes “unnecessary” roles (permission levels)
- The first designer comes back and saves objects that are dependent on no longer existing permission levels
Well… of course backups don’t save you from trouble when you did everything to get into that trouble! Here’re my 5 tips that could have helped to avoid the failure – and most of this is not about backups:
- Never develop or test an application in your live production system. If you think you do not have a test environment, you are wrong – you do have a test SharePoint farm. It’s just by mistake you call it your production.
- Define roles and responsibilities. These two designers making simultaneous changes to the same app could have probably better split their work to mitigate risks and dependencies.
- Implement change control processes. With a proper change control in place, all team members would have reviewed and signed off on all of the suggested changes before anyone started editing anything.
- Assess different SharePoint failure scenarios and their business impact, ranging from entire farm disaster recovery down to a single item recovery. How critical is the failure on each of these levels for the business processes? What happens if all SharePoint services become unavailable? How much data your business can afford to lose?
- Develop and implement backup and recovery plan based on these findings. Establish a practice for testing backups and performing fire drill recoveries to ensure the plan continues to work as the SharePoint environment evolves.
What we have here is an example of extremely poor SharePoint governance. As much as the term itself may be confusing, the lack of governance is usually obvious. See this great post by Susan Hanley for a broader discussion of governance and guidance.
A proper backup and recovery plan is designed to minimize the business impact in case of data loss or service unavailability, based on the estimated scale of this impact. However, backups are only a part of the organization’s efforts to ensure business continuity. Having a backup in place cannot be an excuse for ignoring the need to properly govern your SharePoint customization and deployment.
March 27, 2012
Just got another question about SharePoint 2010 remote BLOB storage (RBS) and its impact on the backups. The topic is already covered by so many posts and articles, I will just add a quick summary and few links to more details.
There are three simple things to remember about RBS and backups:
- It is the RBS provider implementation that defines how backup works for externalized content. External content may or may not be included in your backups, depending on the provider you choose.
- With the out of the box SQL 2008 R2 RBS FILESTREAM provider, externalized content is included in traditional VDI backups (“virtual backup device interface”). That is, native SQL and SharePoint backups will include both the database and the external content. Same is true for all 3rd party SQL backups that use VDI.
- The out of the box SQL 2008 R2 RBS FILESTREAM provider does not support snapshots. Any SQL backup based on snapshots (such as Microsoft Data Protection Manager) will NOT automatically protect the external content.
If you plan to leverage RBS to reduce the size of your databases in SQL, you may have to change your backup strategy based on the above. Major questions are:
- What is your current backup strategy, do you use snapshots or traditional backups?
- How does the RBS provider of your choice work with the existing backup? Will external content be automatically included in backups?
- If yes, make sure you and your SQL DBAs are aware that backup files can be MUCH larger than SQL database size
- If not, how will you handle backup and restore of the external content? For example, if your backup is snapshot-based, you should take same time snapshots of the file system or NAS location with the external content. Make sure you test and thoroughly document all recovery scenarios in this case.
See also Plan for backup and recovery on Microsoft TechNet for other considerations.
Configuring RBS FILESTREAM for SharePoint 2010 and SQL 2008 is not a trivial task. Ghazwan Khairi recently started his SharePoint Quester videoblog, and one of his posts goes step by step through installing and configuring RBS for SharePoint 2010. This includes all script snippets and command line examples that you’ll need. Very helpful and detailed, check it out.
Finally, if you wonder why anyone may want to go into all this trouble with configuring RBS, it is worth reading Chris McNulty’s blog series on top SharePoint performance killers.