The Escape Artist – How to Stop the Data Thief
4 October 2017 | 10:56 am
When you watch Ocean’s Eleven you know that breaking in is only half the battle; you also have to get out unnoticed or undetected. The same thing that is true for bank robbers and cat burglars also holds true for hackers.
If you are a business owner or executive responsible for keeping your customers or your corporate data secure and you think it’s all about stopping the bad guys (and gals) from accessing your data, you are missing what might be the biggest point of failure: their escape.
Over the years we have seen that many breaches are not noticed or identified for months and sometimes even years, which means not only did the bad guy get away with it, he (or she) was then able to unload their loot or start using the data without worry that they would be noticed. That’s good news for them, but not so good for you.
In order to fully discuss the escape portion of the breach, the part that most people forget to talk about or protect against, let’s look at the three main players or threat actors in this scenario. Going forward I will use the common term “hacker” to mean any of these threat actors.
- The external hacker with no authorized access to your network: These are the people who sit behind their computers anywhere in the world and try to find networks that are open or system vulnerabilities just waiting to be exploited. Open networks are typically those that do not have good firewall rules, have publicly facing systems that should not be publicly accessible, or have exploitable web application vulnerabilities. It only takes one bad line of code, one misconfigured firewall rule, or one forgotten system on the perimeter to leave your organization exposed. Once you are exposed and they are in your network, that is where their fun begins.
- The third party vendor or partner who has direct access to your network (usually via VPN): These are the organizations outside of yours that you do business with and need access to your network. They might provide you data or receive data from you, they might monitor another system that you manage, or do a number of legitimate activities. However if you don’t know how secure their networks are, which you never truly will, or you don’t know who they employ, you have opened up your network to their network and their people. If they are hacked and that hacker finds the access to your network – boom, they are in.
- The trusted employee: Your employees are not going to harm you right? Most of them will not and even the ones that do are often not trying to harm you. But even those employees who mean no harm cause errors or misuse their credentials, which lead to breaches and data loss.
Once the data has been gathered by the hacker they need to get it out of your network and into their control, the escape. Allowing the escape is where many organizations fail by making this too easy or allowing the hacker to get out undetected. You must know all your outbound connections, they must all have a legitimate business need, they must be reviewed on a regular frequency to ensure they are still needed, and they must be monitored.
You may think this sounds like a lot of work, but if setup properly with the right tools and processes it does not have to be cumbersome going forward. If not built right the first time, it can take some time to put in place, but honestly the pain of discipline in this scenario is going to be much better than the pain of regret later.
If you are reading this and thinking, “I have no idea if data can get out of my network unnoticed,” start asking these questions to the people who work for you that manage your infrastructure. Here is the question you can ask, the answer you want to hear, and the next step if the answer is not what you are looking for. The Next Steps are high level and might require outside assistance or third party tools and vendors.
|Do we have all our outbound firewall rules documented with business justifications?||
You want the answer to be yes
|Implement a plan to have the network team spend the next few months documenting all firewall rules. This will mean working with business owners to understand what traffic is necessary and where it has to go.|
|How often do we review the rules to ensure they are still needed?||You want the answer to be at least every six months
|Implement a plan, either manually or with automated tools to start reviewing rule sets at least every six months to ensure they are still needed, still use secure protocols, and are going to the correct destination outside your network.|
|What are we doing to monitor outbound traffic?||You want someone to be able to give you specifics and have incident response plans that explain what they do if they see malicious or anomalous traffic.||Document an incident response plan, determine what third party resources might be needed in the event of an incident, and put processes in place to monitor traffic for anomalies or suspicious behavior.|
|How would we know if sensitive data left the network?||You want a specific answer that should be easy to find if it’s being done.||Research data loss prevention solutions or other network detection tools.|
|Do we allow encrypted data out of the network?||
The answer should be no – we only send encrypted data to organizations that we have vetted and only to specific IP addresses they have given us.
|This is important because malicious users and hackers will actually steal your data and encrypt it with their encryption keys so that it is undetectable by Data Loss Prevention (DLP) software and so that no one can steal it from them. Yes they are often more aware of security than you are.|
If no one can answer these questions or you are not happy with the answers, take a deep breath and start a new conversation. No finger pointing and no yelling, but an open and honest conversation with your staff about why this is important and how things are going to have to change in order to keep the data secure.
Lastly remember that tools do not solve all problems and only work when implemented correctly. There is no silver bullet no matter what a vendor tells you. Ensure you have the right people asking the right questions of the vendors if you are bringing in a tool or managed service offering to monitor your network.
This is of course just the start of the conversation and the beginning of what needs to be done. If this is overwhelming and you don’t know where to start or what to do next, I can answer your questions. Email firstname.lastname@example.org to discuss your questions or concerns on this topic. I am a 12-year security veteran and have seen 100s of different networks and situations and I am happy to discuss your situation with you.