To assess your security needs you must not only understand what the loss of various types of data could mean to your business, but understand the various ways a loss can take place. In the first installment in this series of blogs, I covered risk assessment from the perspective of the types of loss a business can suffer—in short, hardware and software failures, malicious or self-serving modifications, destruction, or theft. This blog focuses on the mechanisms for malicious loss.
Once you’ve placed a value on your data, you must have a pretty good idea what types of attack you may want to defend against before you can design protections against them. Even in today’s security conscious environments, losses still occur. More and more often high-profile losses turn out to involve human error, failure to follow existing processes and procedures, or an inside accomplice. That said, there are still far too many losses from insufficient attention to the creation of policies and procedures, separation of duties and other barriers to loss.
Although only the most sensitive and valuable data might require protection from all the types of threats, in the list below, my goal is to insure you are thinking broadly about where loss can originate. All of these methods, and more, have been used for malicious purposes or personal gain.
Data retrieved by a person with legitimate access, but used for illegitimate purposes.
This might include data for insider trading, blackmail, spying or stalking, sale or other gain. The data involved isn’t always credit card or social security information either. In some industries, a motive might be industrial espionage and source code or procedures are the target.
For example, I’ve seen cases where permanent and contract positions were filled by people whose sole purpose in applying turned out to be to infiltrate the company so as to give some other organization inside information and even to attempt creation of a back door. Such threats don’t just come from competitors. If your security is good, it might come from organized crime—even in other countries—that either want your data or want to harm your company.
Operations such as modification or deletion of data performed by an authorized person for unauthorized reasons.
This could be used to steal or cover up theft or get other goods and services for personal gain. It might also be a mechanism for a disgruntled employee to ‘exact revenge’.
Access can sometimes be used to create a back door. An access mechanism that doesn’t require the normal authorization process or isn’t included in authorized activity reporting. The most common instance of this is when it takes the form of excess authority granted to an otherwise legitimate credential or permission set.
There was a time when the most common source for confidential information was going through the trash of companies that held such data. While this isn’t nearly as effective as it once was, it’s still quite common to see people throwing away un-shredded reports with confidential information. Scrap paper or Post-it notes etc. with ID’s and/or passwords scribbled onto them often go into the desk bin. You might think such passwords would be obsolete before being tossed, but typically the ID’s are not, and more often than not, people use some kind of pattern that make obsolete passwords the key to guessing the current one.
Another path that confidential data takes in leaving a company is in employee laptops, PDAs and even phones. Even if stealing an employee laptop or phone doesn’t yield confidential information directly, such devices often contain IDs, passwords or sensitive data cached in swap files.
Programmers often have software designs, source code or procedures that can be analyzed for weaknesses in creating successful external attacks.
When those avenues don’t present themselves, a facility can sometimes be simply walked into.
Posing as cleaning staff, building maintenance staff or others with legitimate access or getting a job that grants legitimate access thru such a service company is another way that one can often gain direct access to employee desks and even rooms containing infrastructure. Passwords on the bottom of keyboards or under a pencil drawer are easy prey, as are reports or other documents containing confidential data. With today’s smart phone technology, almost everyone has a camera at hand that would never be considered suspicious.
How long would it take to notice a backup tape missing? Physical hardware such as desktop computers, servers, hard drives or backups need not be removed to be copied. Although hard drive encryption is very common on corporate laptops, the technology is expensive to maintain and therefore less common on machines that never leave company premises. Moreover, they are often designed to protect the hard drive from being booted or read from another machine, but offer little or no protection when the machine is already legitimately running.
An unauthorized person in the office area outside of working hours may have plenty of opportunities to copy data or to install hardware or malware that collects information for later malicious use.
Electronic Theft and Vandalism
By far, this is the type of ‘hacking’ that gets the most media attention. Perhaps for good reason. When looking for easy money, prestige in a hacking community or revenge for some incident, the idea that one need never leave their bedroom to hack is appealing. The real danger, however, isn’t because this form of attack is easier—in many ways it isn’t. The reason it’s a more threatening vector is because of the sheer volume of attackers that potentially might gain access. So far, an attacker needed proximity or literally physical access to the data. Electronic threats can come from potentially anywhere in the world.
You may think that I might write the most about electronic threats and attacks, but in fact, they are probably the only things I really don’t need to cover.
From an electronic perspective, Wi-Fi sniffing can be a simple access method if the encryption used isn’t very strong. There are several types of encryption still commonly used that are very weak.
Although proximity to your network is required, often physical access to your premises is not. EMF-based monitoring of your physical internal network takes both sophisticated equipment and proximity, however if physical access is available, sniffing (wiretapping) is not difficult at all. Tools are readily available for use in troubleshooting network problems and unencrypted data often flows freely across internal networks.
What people often consider traditional hacking is when an interface is deliberately presented to the outside world and the attacker uses loopholes and weaknesses in interface code and protection schemes to see into the underlying systems, or sometimes, to actually place code or make other changes on those systems.
Malware on Network Authenticated Machines
This was the underlying path used in several high profile attacks. Mechanisms for applying such malware range from gaining physical access to electronic hacking to social engineering. Many companies employ measures aimed at preventing outside originating network attacks but often ignore the other two vectors.
When it comes to deliberate creation of external interfaces such as a website or other external APIs, you basically must assume that any interface that is external facing has already been compromised when planning security. At least one additional level of protection is required, otherwise no protection actually exists.
When it comes to information systems supplying data to an external interface, you must assume the external interface has no ability to limit or prevent injection attacks. The authorization granted to an external interface should have absolutely no authority on any server or other accessible device. Any device that an interface has write access of any kind, one can expect someone will find a way to write some kind of malware onto it.
Ideally, no updates should be done in real time unless the nature of those updates passes some level of reasonableness testing. Any workflow actions, file manipulation or other activity must require use of credentials other than those used by the interface and the interface must not have any mechanism to directly control those actions. The list of possible actions must be well defined and not contain points of programmability.
Contrary to the level of hype given other forms of hacking, this is by far the most common and successful form of hacking. Hacking computers that have authenticated access by manipulation of the users web browsing habits, thru IM, email or other payload paths, often combined with social engineering techniques to subvert automated threat detection or mitigation mechanisms. Once such an attack is successful, malware can perform keyboard monitoring or memory and file scraping for confidential data or for data that can be leveraged in more ambitious attacks.
The screen and keyboard/mouse are often mistaken as the only user interfaces, but in years past, the most common form of infection was thru floppy disks. This avenue is still available and a point of vulnerability in the form of phones, thumb drives, DVDs and Bluetooth devices. In addition, malware can use VPN paths into otherwise secure networks to wreak their havoc.
Entire books have been written to list the mechanisms by which data loss can occur. This scratches the surface pretty well, but by no means should be considered comprehensive. As stated earlier, I want to be sure you are thinking broadly about where your data might be vulnerable.
In the third and final blog in this three-part series, I will address the mindset needed to design proper protections and how to look at the extent to which various protection types mitigate various risks.