Featured content

The Varonis Data Security Platform Remote Work Update is here! This update delivers the product enhancements you need right now to keep your data safe in a work-from-home world. In this video, we’ll give you a quick tour of what’s new and outline all the details in the post below.

Nmap is a network mapper that has emerged as one of the most popular, free network discovery tools on the market. Nmap is now one of the core tools used by network administrators to map their networks. The program can be used to find live hosts on a network, perform port scanning, ping sweeps, OS detection, and version detection.

Back in the day, booting the then-cutting-edge IBM 8086 from the floppy brought you to a green text screen with a cursor blinking at the familiar C:\> prompt. Hacking boot.ini and config.sys to get my games to run was my first introduction to programming.

Windows PowerShell is a powerful tool for automating tasks and simplifying configuration and can be used to automate almost any task in the Windows ecosystem, including active directory and exchange. It’s no wonder that it’s become a popular tool among sysadmins and experienced Windows users.

You just want to answer the question: “What do I need to do for GDPR?”

Penetration testing has become an essential part of the security verification process. While it’s great that there are many penetration testing tools to choose from, with so many that perform similar functions it can become confusing which tools provide you the best value for your time.

Ensuring that your Azure cloud service is compliant with the regulations that cover customer data can be complex. Each set of regulations – HIPAA, PCI, GDPR, and the CCPA – contains different definitions and requirements, all of which have an impact on the way that you work with Azure.

Hoarding isn’t just happening with toilet paper: we’re seeing cases where remote employees have downloaded department-level folders. Chances are, these files will contain sensitive data like PII, PCI, HIPAA and GDPR.

No. That’s the answer in their FAQ. Out-of-the-box Office 365 is not HIPAA compliant, and you need to take the appropriate steps to ensure your organization stays compliant. Get the Free Essential Guide to US Data Protection Compliance and Regulations As the covered entity (CE) in HIPAA legalese, it is up to you to maintain HIPAA compliance and to pick systems and tools that will serve that end. Let’s dig into what Microsoft does offer to help you stay HIPAA compliant. Should this instead be: “What versions of Office 365 are HIPAA compliant?” [MB1] Office 365 Compliance Center Office 365 Compliance Considerations Maintaining Office 365 Compliance with Varonis Considerations When Operating Office 365 Office 365 Compliance Center and Features When people get into compliance with Office 365, they probably first check out the Office 365 Compliance Center. Compliance Center is a suite of tools and dashboards that are available to Office 365 customers on the highest tier package, E5, or with an add-on to the E3 package. Here is a list of high-level features in Microsoft Compliance Center: Compliance Scorecard: The compliance scorecard shows you the compliance score based on Microsoft’s calculations. The compliance score is a risk-based aggregate score that shows you your current position and informs the next steps to take to become compliant. Microsoft partly calculates the compliance score by a percentage of the compliance controls that apply to your organization that you cover. To that end, you have to feed Microsoft all of the different compliance regulations you want it to consider in the calculation. You can feed compliance center with Microsoft-managed controls or create customer-managed controls. Microsoft includes pre-configured templates of controls for most of the well-known regulations, HIPAA included. Solution Catalog: The solution catalog shows you the Microsoft tools you can implement to meet compliance objectives. Insider Risk Management: Insider risk management allows you to detect, investigate, and take action on risky activities in your organization. With this feature, you can create custom alerts and take action on malicious and inadvertent risky activities in your organization. Insider risk management allows you to policies based on pre-defined templates that define what kinds of risks Office 365 considers an alert. You can set conditions for the alert, define which users to include, and set the time period for the alerting. Here are the pre-defined templates. Office 365 HIPAA Compliance Considerations Here are some key points to consider as you implement your Office 365 HIPAA compliance program. Enabling Office 365 HIPAA Compliance Healthcare organizations that are moving to Office 365 should implement the various compliance tools and systems in Office 365 that support their privacy and compliance strategy. Still, they should not wholly depend on these systems in their compliance program. The reports available in the Office 365 Compliance Center will be valuable during HIPAA compliance audits. – like unauthorized access by insiders or accidental data leaks – but you shouldn’t rely on AIP as a silver bullet for HIPAA compliance. Here are a few more things to know. Office 365 HIPAA Business Associate Agreement: HIPAA requires that both covered entities and their business associates – defined as any organization that works with PHI – enter into contracts with each other. These contracts ensure that business associates have in place technical and managerial systems to protect PHI. When working with Office 365, this means entering into a Business Associate Agreement (BAA) with Microsoft. The Microsoft BAA clarifies and limits how both you and Microsoft can handle PHI and details the steps that you will both take to adhere to the provisions in the HIPAA. Once a BAA is in place, Microsoft customers — which are covered entities in this case — can use its services to process and store PHI. For Microsoft cloud services like Office 365, the HIPAA Business Associate Agreement is available via the Online Services Terms. It is offered by default to all customers who are covered entities or business associates under HIPAA. It’s important to recognize, however, that entering into a BAA does not, in itself, ensure that you are HIPAA compliant. You can work with PHI in Office 365 in many ways that are not compliant. In short, you are still responsible for ensuring that you have an adequate compliance program and internal processes in place and that your particular use of Microsoft services aligns with HIPAA. As always, when pressed with legalese, consult with a lawyer with expertise in HIPAA compliance. Office 365 HIPAA Best Practices Here are some best practices for you to configure and set up Office 365 for HIPAA. Strive to maintain least-privileged access from the beginning of your Office 365 implementation. Enforce permissions so that users can only access the PHI they need to do their jobs. This will help keep PHI from access by unauthorized uses. Use Microsoft’s end-to-end encryption to protect PHI. Encrypting HIPAA data can help prevent data breaches, and having encryption enabled will look good on an audit. Use Microsoft Information Protection to prevent users from mistakenly sending PHI to unauthorized users. MIP can read from a white list of domains, or you could even give external users Azure accounts to keep unauthorized users from accessing your PHI. Enable Multi-factor authentication in Office 365. Maintain the Office 365 audit logs in case of a compliance incident. Keep backups of data held in Office 365 per HIPAA regulations. Maintaining Office 365 Compliance with Varonis Varonis helps cover the gaps you may encounter in Office 365 compliance. Access Control: A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI) Varonis maps all of your users, folders, and permissions so you can identify where your data is at risk of unauthorized access. With Varonis, you can track any sharing links or unintended access points that your users create with Office 365, through Teams, for example. With a wide array of pre-built permissions reports, Varonis makes HIPAA audits much faster. You can provide auditors with comprehensive reports detailing precisely who can access to e-PHI, how they got access, and whether they actually need it to do their job. Varonis then classifies your PHI both on-premise and in Office 365 so you can identify all of the HIPAA protected data, without the need to train a classification engine to do it. Varonis works out of the box to classify HIPAA data and requires little tuning for accurate results. Additionally, Varonis integrates directly with AIP to label sensitive files so AIP can encrypt and track sensitive data. After you have identified the folders where HIPAA data lives in the greatest danger, Varonis helps you mitigate that risk by automating the processes required to move to least privileged access. Limiting access of HIPAA data to only those individuals that are authorized—often referred to as the principle of least privilege or privacy-by-design–is a milestone on the HIPAA compliance journey. Audit Controls: A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI. Varonis monitors and records your file activity, folder activity, and email activity so you can always answer the question, “Who is accessing HIPAA data?” Varonis reporting will allow you to prove to auditors exactly who is accessing your ePHI. Varonis looks for patterns of abnormal behavior on your ePHI and alerts you of any potential misuse from insiders or outsiders. The audit logs are enriched and normalized across all monitored data streams. That means that any event you investigate looks the same in Varonis, and includes all of the important data about that event. And that Varonis can quickly apply analytics to detect abnormal behaviors that could be threats to your HIPAA data. Integrity Controls: A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed. Varonis correlates file access, email activity, and perimeter telemetry to warn you of any potential threats to your ePHI. A valid user accessing ePHI isn’t noteworthy, but Varonis can tell you if that user account logged in from an odd geographic location, is accessing data they have never touched before, or if the computer they logged into recently triggered a malware alert. Varonis gives you actionable intelligence you can use to investigate any potential intrusion. Considerations When Operating Office 365 Office 365, especially when you add Teams on top of it, can make things like compliance data security problematic. Teams, and to some extent, Office 365 are designed to enable sharing of data first, and protect data last. Varonis protects data first. When you layer the two systems together, you pave a much easier path towards HIPAA compliance and protect your patient data from breaches In short, HIPAA compliance can be complicated. If you’re struggling with HIPAA compliance in Office 365 or on-premises Windows-based environments, Varonis offers a no-obligation data risk assessment. Our engineers will install the Data Security Platform so you can start discovering your e-PHI, uncovering risks, and monitoring for threats. Use the report to generate a prioritized remediation plan, get buy-in from leadership, and map out what you need to do next to meet regulations. Start with a conversation.

The race to enable remote work sent IT and security teams into high gear — and often resulted in shortcuts that exposed organizations to incredible risk in the process. Hackers know companies are vulnerable, and time is on their side: they’re leveraging tried-and-true brute-force attacks and doing recon to target their attacks.

EDIT: Security researcher Adam Chester had previously written about Azure AD Connect for Red Teamers, talking about hooking the authentication function. Check out his awesome write-up here.

Millions of people are working remotely – and attackers are taking advantage. As more workers log into residential WiFi networks, cybercriminals have plenty of opportunities to launch attacks.