Corporate data needs to be secure, private and protected. That’s obvious advice, but the steps organizations should take to prevent data security threats and keep their data safe from hackers are much less apparent.
This article looks at some of the tactics — both old and new — hackers are using in their attempts to access your data. Spoiler alert: Protecting your organization from data security threats requires a comprehensive approach. Security isn’t just orchestrated through a single security department, and it can’t merely reside in a single layer of a protocol stack. Threats come from various sources, from both inside and outside an organization. Combating these threats requires a multilevel and multifaceted strategy that includes not just IT, but other departments, including HR, accounting and legal. Here’s a look at some trends that pose the biggest threats to corporate data and the actions you can take to protect it.
Undetected data security threats
These can be called exploits waiting to happen. Vulnerabilities that may already exist in your corporate systems can be used to compromise data privacy. For example, legacy systems might have built-in backdoor administrative passwords. These potential superuser identities might have access to all data, thus enabling the users to steal data without even having to hack a real user’s credentials.
Protecting your data means making a list of all third-party and in-house IT systems in use. Verify whether these systems have any superuser IDs. If so, confirm that the user ID’s password isn’t set to the system default and that it is either disabled, if not needed, or, if used, guarded by a strong password.
For everyone else, access control lists (ACLs) will be the primary tool for protecting data. ACLs specify data access rights, among them read-only, read/write, write-only or no access. These rights are then assigned to user profiles, which are, in turn, associated with users.
It is a thankless but necessary task to review your corporate ACL structures and certify ACL assignments reflect current corporate needs. Some lists might include all-access permission that was initialized when the current server environment was installed as a way to debug the system or to assist users with trouble accessing a particular file. ACLs don’t expire. ACLs with global file access rights can effectively open a backdoor that can be used to compromise data — even from within the corporate network. ACLs created for special groups or projects that are no longer active should be deleted.
Guarding against self-inflicted attacks
Despite an organization’s best efforts, many breaches are essentially self-inflicted: Phishing attacks, propagated through emails cloaked with the look and feel of legitimate senders, are a major hazard today and likely will continue to be so in the years to come. These attacks become even more dangerous because users who click on these messages may use similar ID and password combinations for multiple systems, putting additional data in jeopardy. Even more insidious are newer, so-called whaling attacks, where the sender masquerades as the user’s boss or some other known executive within the organization. Because the emails appear to be genuine business requests, recipients often comply.
Tried-and-true security options
While addressing new and more subtle methods for compromising data, don’t forget malware’s fast-and-frontal attacks. Malware still exists and may come in the form of a SQL call or be carried in the code of a utility program downloaded by an employee. Regardless of its source, malware remains a force to be reckoned with when protecting your data.
A basic, garden-variety, port-filtering firewall isn’t sufficient protection against all data security threats. Deploying an intrusion detection and prevention system (IDS/IPS) that provides deep packet inspection will increase the effectiveness of an organization’s security perimeter and reduce the severity of attacks that get through. Agent-based endpoint security management software capable of tracking malware signatures is another important tool. A multipronged approach — one that includes user education — is particularly important in battling ransomware, which is perhaps the most virulent form of malware. This is the ultimate attack on corporate data privacy and security. A successful ransomware attack can paralyze a system — and, potentially, a company. The most common way for these attacks to occur is by getting someone to run infected software on the company’s computers. The best way to eliminate that chance is to use a security strategy that relies on a cohesive — and up-to-date — set of endpoint, firewall and IDS/IPS tools.
Blocking low-and-slow attacks
In contrast to attacks that try to barge in via a firewall or email, a whole new breed of attacks can be described as low-and-slow intrusions. Instead of malware running on a computer, these attacks are funneled through low-level applications or devices, like surveillance cameras, and are deliberately programmed to avoid detection by exfiltrating data slowly over time.
These attacks use a variety of ways to harvest data. A Tolly Group evaluation of low-and-slow attacks in 2019 found that, in one case, malware had compromised the OS of a surveillance camera. The malware collected information about devices inside the company, while also still performing its video functions, periodically sending that data to an external website. Since many firewalls are configured to assume outgoing traffic is legitimate, the information was exfiltrated successfully.
In another example, exfiltration software was contained in an unregistered Google Chrome browser extension. Residing as part of the browser, it was able to gather data, which it then exfiltrated to an external website. Another incursion involved code that used the DNScat tunneling tool to take data files from the PC and send them to the attacker’s website, which evades perimeter security in the process.
To deal with these kinds of threats when protecting your data, consider adding a new type of security system: a network detection and response (NDR) system. Unlike IDSes/IPSes that look for signatures, NDR systems use AI and machine learning to monitor network as they learn to understand normal traffic. An NDR system will detect anomalous traffic and alert corporate security teams to stop a low-and-slow exfiltration if it attempts to contact an external website to deliver stolen data.
Keep tabs on your data
Consider ways to keep tabs on data. One way to do that is to use data loss protection (DLP) software. DLP generally relies on an agent that runs on every client device. The software runs in conjunction with a management server and uses templates that identify data that needs to be protected from removal. Typical examples include data strings, like Social Security or credit card numbers. Templates can also be created to flag certain keywords, such as trade secret or proprietary, to ensure documents containing these terms are protected. Generally, template-based DLP tools work best on structured data or files containing evident examples of confidential text. Newer DLP products use features that examine the movement of all data rather than examining specific data patterns. These tools don’t intercept data; rather, they create a trail of evidence to enable security teams to remedy leaks by pinpointing who may have exposed the data and the type of information revealed.
The partnership data-security conundrum
When data gets compromised, there is little solace in saying, “It wasn’t us. It was our partner.” Keeping systems and data secured can be difficult when they are controlled by a partner. Indeed, the most serious problems organizations face may stem from lax security on the part of partners — businesses or cloud storage providers — with whom they share or deposit data.
Today’s commerce almost requires companies share important data files with their business partners. But those partnerships also include risks in terms of data security threats. More than 12 million patients who used Quest Diagnostics had some of their medical records stolen when hackers accessed a contractor’s IT system between 2018 and 2019. The contractor, American Medical Collection Agency, was used by both Quest and LabCorp to handle billing collections. More recently, Amazon subsidiary Ring said some customer accounts were stolen by hackers who accessed an unidentified third-party service.
Equally worrisome, cloud providers aren’t immune from problems. The so-called Cloud Hopper hack, revealed at the end of 2019, gave hackers unfettered access to data from a myriad of clients. Security analysts have confirmed trade secrets and other intellectual property were contained in stolen files. The victim companies had assumed their cloud storage vendors had adequate security. Bottom line: Don’t assume files handed over to SaaS vendors are safe. They may not be.
Profitable data — be it credit card records, Social Security numbers or any other transactional information — will always be the target of motivated hackers. All they need is one way in. Keeping up with new hacking techniques and new safeguards, as well as constructing a strong security foundation, is the best way of protecting against data security threats.