0

10 Ways to Compromise your Sensitive Data

10 Ways to Compromise your Sensitive Data

In this blog post by Professor John Walker, we will consider the areas surrounding data security and look at the multiples of ways in which it may be breached, altered or compromised. Some may be obvious, others not so. We will explore this topic based on the security four table legs of CIA+A:

Confidentiality, Integrity, Availability and Accountability.

1.

Fake Secure Drives

I have encountered several, ‘secure, encrypted drives’ for sale which are nothing more than a drive sealed within a pin-protected casing. Thus, any security minded users who purchase such a device will be storing their sensitive data assets with the impression they are protected and secured by encryption – when in fact they are open to anyone who may remove the drive from its casing to view the insecure content.

Mitigation: If you care about robust security of your files, only user Certified,
trusted, encrypted drives which are built to the FIPS-140/2 Standard.

2.

Change of Domain Policy

A Nottingham based Financial Services business were unfortunate enough to be hit with a zero-day computer virus, which spread with some speed within their operational environment. A Major Incident Board was convened, and a team was brought together including senior members of the IT security team, and directors from the companies Technical Services Board. They concluded that to deploy the style of patch required in the most expedient way would be achieved by changing the domain policy to open up access to each of the client systems (desktops/laptops), which would be followed up by a quick push of the updated .DAT signatures, quickly followed by a reapplication of the required domain policy to bring all systems back to their original security posture. Once this was completed, the team stood down; however, it was soon apparent that something had gone wrong when members of the IT Security Team were receiving calls from ordinary users reporting that, in one case they could see all files located on the Human Resources Director’s local drive, and the calls continued. The issue was, what had not been appreciated by the technical Services Board Director, and the associated Information Security Team was, whilst you may remove the permissions across the domain with the click of a box, to reapply them requires end-system action of a reboot to reinstate the required level of security posture – thus all systems and stored were exposed cross-domain!

Mitigation:

  1. Ensure that those in key positions are fully trained and above all competent.
  2. Where there is need to take additional steps to secure data (e.g., the HR  Director) encrypt the locally stored files.
  3. Consider utilising off system, secure, encrypted removable drives to secure sensitive data.

3.

Trust your Staff

I recall when working for a Local Authority in the East Midlands with an IT Director who could never surprise his staff. He commented to me, ‘no matter what I tell the team at our town hall meetings, they always seem to know before I pass on the information’. That was because they did, as due to poor security and open folders, some members of the IT Team had full access to the stored data and communications of said IT Director – so yes, they were always aware what was going on!

Mitigation:

  1. Ensure that folders and storage areas are appropriately protected, and not visible to any members of the IT Team (or any other unauthorised user or that matter).
  2. With any sensitive data it is always best practice to store such sensitive data-objects offline, on removable, encrypted storage devices.

4.

MFD – The forgotten Technology

I have previously worked as a Consultant for a London based UK Government Agency who worked on sensitive data of the highest classifications. Given their concern over data security, they ran a project to virtualise all desktops/laptops, which were limited to only storing data on servers located within the secured computer room. However, they overlooked the fact that on every floor in the building stood an MFD (Multi Functional Device) AKA, a computer, IP addressable, with on-board Print Server, Spooler, Web Server, Hard Drive(s) Storage, that just happens to offer printing facilities, on which the drives were accessible, and of course on this occasion not encrypted, leaving the sensitive data open to both physical and logical abuse!

 

Mitigation:

  1. Always run a risk assessment of data flows and storage when engaging such a project.
  2. Ensure that where there are configuration options (and there were) apply a level of encryption to the dives to secure any stored data objects.
  3. Where physical access may be achieved to the on-board drives, always ensure they are physically secure by lock-and-key.
  4. When these devices reach end-of-operational life, at the very least ensure the disks are securely overwritten/purged – at best, physically destroyed.

5.

Trust in Logon Security

Whilst there may be a great faith in the local security associated with say, Windows, or other such operating systems, this can be a false sense of security when we consider the security of the data objects stored thereon. Take the average Windows desktop or laptop – our user has the full confidence that only they can get to the on-board data objects as they are using a very strong password, along with the associated logon credentials – so all is secure and tucked away from the illicit view of others. However, what our user needs to realise is that, notwithstanding their security credentials, to gain access to the stored data, it is a simple case of physically removing the drive, and then mounting it on to an awaiting laptop via an interface, such as the USB3.0 TO ODE/SATA device – from there on, full access to said content may be enjoyed.

 

Mitigation:

  1. Encrypt Local Drives with Bitlocker etc (Keep Keys on USB, or ensure the machine is accommodated with a TPM Chip (Trusted Platform Module).
  2. Better still, use a removable, FIPS-140/2 encrypted drive accommodated with some form of additional security mechanisms – say Pin Protected.

6.

Cloud

If you are using Cloud, and most are in some form or another – ensure that you have completed a full Due Diligence of the Third-Party Supplier, remembering that Cloud, and Third-Party Supply Chains are a known known potential area to introduce insecurity. Consider technologies such as AWS S3 Buckets, and ensure they are secured. Cloud environments are one of those areas which can reveal a lot to an OSINT (Open-Source Intelligence) mission which can lead to the acquisition of valuable information. To mitigate any potential exposure when using a Third Party (TP) Services, or Cloud, some may consider encrypting the sensitive objects within the TP environment, or on the Cloud to secure them from prying eyes, should the external service fall victim to a hack or compromise – an excellent security consideration. However, the user organisation must keep in mind that, dependent on how the actual encryption keys are stored (protected) within the TP, or on the Cloud, it may still be the case that if the TP/Cloud is subject to a hack/compromise, it should be anticipated that the attackers will go looking for the encryption keys or Digital Certificates which have been employed to actually secure the, supposed, secured assets! In my experience, this is not a matter of theoretical consideration, but a circumstance which I, and many others have observed in real-world attacks, in which the actual security credentials to the golden nuggets of data have also been stored in an exposed, inappropriate, insecure way, and thus also fallen to compromise.

Mitigation:

  1. Consider running your own RED-TEAM activity against any procured, or to be procured service to gain an insight into the overall footprint.
  2. Conduct an in-depth review of the service provider at all levels.
  3. Once procured and operational, ensure regular service update meetings are held – say every three months.
  4. Where valuable logical assets are implicated, consider utilising an Escrow agreement to accommodate security over such assets lodged with the Third Party (Just in case). Where there is an objective to achieve a secure, robust security schema to leverage encryption within a TP, or on the Cloud, one complimentary methodology is to store Digital Certificates, and Encryption Keys external to the TP/Cloud environment, under the sole custodianship of the user, or user organisation. This approach offers the most pragmatic, and secure methodology to maximise the security footprint of the deployment. Thus, never exposing the security credentials to any potential of a sniffing attack, and always ensuring that such security credentials are held under the safe, and sole custodianship of the owner of the sensitive data -objects.

Explore our unique encrypted cloud solution

cloudAshur eliminates all the security vulnerabilities that exist with cloud platforms, such as lack of control, unauthorised access and human error.

7.

Equipment Disposal

Frequently I have witnessed the disposal of devices such as MFD’s, mobile phones, IoT devices, printers, computers, and servers. On each of these occasions, these data-holding systems have been disposed of, containing corporate and sensitive data. From mobile phones which have been allowed to connect to corporate systems, to hard drives populated with Local Authority data relating to case files of vulnerable children.

Mitigation:

  1. Create and promulgate a Policy/Process to drive the way end-of-life equipment is processed out from the business.
  2. Create a register to document the end-of-life journey that all devices take.
  3. Hold all such devices in physically secure location until such time they are correctly processed in accord with the mandated policy/process.

8.

Paper

Don’t suffer from tunnel vision when securing you data assets – remember, it not just about the digital aspects, but also needs to encompass the other potential carriers of insecurity – e.g., paper. I recall my very first contract on the South Coast. The Project Manager said to me on my very first day, ‘you need to make a difference and quick to convince the executive we need to look at the company’s overall security posture’. 4 hours later I presented him with a sack, full of paper holding client personal details, credit card information, and client bank account details, all of which had been cast out into the general waste bins.

Mitigations:

  1. Accommodate the facilities with secure, locked, clearly marked classified waste bins.
  2. Produce and promulgate a policy to dive the mandated requirements.
  3. Consider using on on-site Secure Paper Shredding/Disposal Service.
  4. Educate end users.

9.

MetaData

MetaData is data about data, and can provide much, unintentional information which can range from user profiling, departmental data, telephone extensions, right down to IP Addresses and software versions.  Consider the fact that such unintended information can be leveraged to adverse interest to footprint and target an organization, or individual, and can provide a very good launch-point for a social engineering attack.

Mitigation:

  1. Employ some form of methodology to remove any unwanted MetaData from documents prior to release.
  2. It may be obvious but ensure that documents are not released with the underlying Track Changes embedded.
  3. Consider using secured PDF formats (locked down, encrypted with password or certificate).

10.

DNS

The area of Domain Name System is so often overlooked, and yet is as important to any penetration test focused on aspects of IP Addressing. As with some of the aforementioned areas, when inspected under the gaze of an OSINT Methodology, DNS can also produce much intelligence which may be leveraged to attack the organisation. From Zone Transfer, which in one case led to identifying servers with Hard Coded Users ID and password within scripts, through to the discovery of poor security DNS postures, and other such associated aspects, such as lack of SPF (Sender Policy Framework). DNS Security is a very big area, and one I would encourage you to peruse in the interest of a robust security posture – if that is, you have not already done so.

See RFC 4033 URL for more information:
https://datatracker.ietf.org/doc/html/rfc4033

Mitigation:

  1. Review your organisations DNS environments – include DNS in your penetration testing programmes.
  2. Conduct regular security inspections to ensure your DNS environments are secure and serving the required security posture.
  3. If not familiar, read RFC 4033.

GDPR Three Years On: What is next for the regulation

GDPR Three Years On: How can the European Commission support SMEs to reach an impeccable level of data protection compliance?

Who doesn’t remember the implementation of GDPR? It’s hard to believe that it was just three years since GDPR was introduced in the EU. Today, we’re taking a look back to understand just how GDPR has changed or improved the livelihoods of businesses and consumers today, whilst contemplating what exactly is next for the regulation and the European Commission.

Initial reactions & shift in focus

When GDPR was initially announced in 2017, a persisted sense of skepticism hung across organisations of all sizes across the union. Mainly, this related to the lack of time given to allow firms, in particular SMEs, to uphaul their operations to fit into this new sense of operating, as well as the fear of what fines may be in store for organisations failing to comply. Many businesses argued that EU governments would expect businesses to put new strategies into place with no help or guidance from regulators themselves. It wasn’t until the infamous Cambridge Analytical Scandal in 2018 that consumers and businesses alike truly understood the urgency of personal data privacy, thus accepting the new regulation with open arms. At this point forward, a shift in GDPR focus converted from an irritating regulation or even obstacle towards business operations, to one of massive importance.

One year on – Impact & predicaments.

One year later – leading us to May 2019, GDPR had been adopted and businesses all over the EU were scrambling to ensure that they could avoid any heft fines. Following initial concerns, there were in fact multiple teething problems which the European Union and firms were forced to face. It was primarily contended within the first year of operation that GDPR did not in fact live up to expectations due to pitiful fines being handed out by regulatory bodies. SMEs felt as if they had been left behind in the GDPR conversation as they were left to struggle to implement efficient operations in place in time. Even consumers were already feeling a sense of fatigue due to the influx of unclear communications from organisations across the EU, leaving consumers feeling lost and unclear on how they could take full control of their data.

Despite these initial complications, GDPR was universally accepted as a positive force and change to come. According to a 2019 report published by Deloitte, 44% of survey respondents believed that organisations hold the protection of customer data as a higher priority and care about consumer privacy significantly more since GDPR law came into place. Consumers also felt empowered to reshape the conversation about their data, enabling those who felt concerned about the way in which their data was stored and shared to demand better. GDPR also ignited a worldwide discussion, sparking a conversation for countries such as the USA to discuss how they should be protecting the data of their citizens.

adam-nowakowski-D4LDw5eXhgg-unsplash

Two years on – Lessons learned.

Moving forward to 2020 – two years on from the implantation of GDPR, despite numerous organisations now taking GDPR within their stride to reach a reasonable level of compliance, there remained a percentage of SMEs still struggling with the costs involved in ensuring compliance. Whilst technical compliance towards GDPR had begun to be reasonably met, operational compliance still fell short from the mark due to issues such as complex processes, lengthy documents and general lack of training and awareness. The European Commission specifically pronounced 2020 as great groundwork being put into the protection of personal data; however, did admit that more still needed to be done, specifically in the realms of re-enforcement and highlighting the needs for national Data Protection Authorities to engage with EU representatives of overseas operators rather than the operators themselves who, sitting overseas, may feel less urgency regarding compliance.

Overall, the European Commission had found that across the first two years of regulation, there had been a number of improvements brought about by the GDPR, including a level playing field for businesses across Europe, a greater awareness of citizens’ rights, and the GDPR’s flexibility to adapt to new technology.

Three years on: Where are we now and how do we proceed?

Reflecting on the past three years on GDPR, its clear that the regulation has held a lasting impression and insightful impact across the globe, with places such as California and the United Kingdom (post Brexit) even implementing their own versions of GDPR into commercial law. Concerning issues that had stemmed within the first two years of operating, it seems that regulators have vastly improved the fairness and operations involved. Fines regarding GDPR for example totaled to £245.3 million throughout Europe as of January 2021, and a total of 160,921 personal data breaches have been recorded. The greatest fines have been cast to Google, British Airways, H&M, Marriott and Telecom. Fines typically were considered to be higher depending on the severity of a data breach, which in retrospection is considered a fair system for organisations.

Despite GDPR creating this impact however, reflecting on the 2020 pandemic and the rise of worldwide data breaches, it is perhaps time that the European Commission shifts from focusing on GDPR as ‘groundwork’ into a fool proof aid in which organisations can follow to fully protect the rights and data of their consumers. Despite this being a priority for the European Commission to consider within the next five years however, there are still glaring issues regarding the lack of resources and financial aid for SMEs to follow through with this basic groundwork level of regulations.

The primary limitation of GDPR which is considered to be prominent within business operations is the cost and limited resources available for organisations to improve their compliance, with no certifications or training provided for specific GDPR matters. The closest that organisations can currently run is the International Association of Privacy Professionals as the gold standard; however, this has not had approval from GDPR regulators. This has caused many SMEs to still fall behind on GDPR expectations, as there is still an overwhelming lack of support.

It is therefore essential as we move forward into the world of GDPR, that the European Commission create a fair and equal playing field to allow all organisations of any size to access low cost resources which can enable them to improve the level of compliance for their consumers, especially if regulations will tighten over the next five years. Although there are several low-cost solutions within the data storage market, such as affordable data storage hardware encrypted drives by certified and GDPR compliant vendors, the European Union must do more to provide low cost training and resources for SMEs before discussing how GDPR regulations can be strengthened.