Last week, I wrote about some of the implications of Bruce Schneier’s recent talk at a cryptography conference held in New York. In short: APTs in combination with phishing attacks have upset the data security balance of power, with hackers (and government intelligence) coming out ahead. If you’ve been following along at the Metadata Era, this shouldn’t be a complete surprise, though, I admit having leading experts say that cryptography “is becoming less important” is troubling. But there’s another way to view the current situation.
For this next analogy, I’m indebted to one of the comments that my post generated over at Hacker News. We don’t say that door locks are ‘dead’ because they can be picked by anyone with the tools and training to do so. Just as there are better quality locks and dead bolts, as Schneier points, there’s strong crypto and other security measures that should be your default setting.
A Phishing Invitation
By all means, implement better security, encryption, and authentication. Schneier emphasized, though, that the real trick that hackers have learned is to get aroundsecurity barriers. And in the case of phishing attacks, the cyber thieves will not only not need to pick the lock, they’ll actually be invited in through the front door.
According to the Data Breach Investigations Report (DBIR), Verizon’s annual survey of hacking and this blog’s favorite source for hacking stats, attacks where victims were tricked into revealing information, or social engineered attacks, jumped by 52% in 2012. Phishing represents the largest component of social attacks— pretexting and old-fashioned bribing lag far behind.
As a corporate security expert, you’ll have to accept the hard truth that it takes just one phish email or text message to fool or tempt an employee to click and download an APT payload. In other words, the hackers will get in. Now what?
Once the APT is activated and takes on the credentials of the targeted user, cyber thieves are remotely searching file systems for easily monetizable data—credit card, bank account, and social security numbers, along with other PII.
The Big Bang Theory of Human-Generated Data
This is where your understanding of how your data spreads through the file system becomes critical. Of course most company employees don’t intentionally leave millions of clear-text numbers in easily accessible folders. The key point is that unstructured data generated by workers has its own life cycle that can unfortunately lead to just this sort of inevitability.
Text-based credit card and other customer specific account information often originate from centralized databases—think of records from ERP systems that are exported or downloaded by employees into readable files and spreadsheets.
But then the collaborative aspect of human data kicks in as knowledge workers contribute their ideas, analysis, and generate a cascade of new content—often containing references and excerpts of the human-readable versions of the original records. As presentations and documents containing the valuable PII travel through the file servers, it’s just a matter of time before PII-rich content ends up in a folder with, say, everyone permissions.
With built-for-stealth APTs allowing hackers often months to crawl file systems, it’s a good bet they’ll find the treasure.
How to Deal with Phishing Attacks
The good news is that employees can be trained to spot phishing attacks. Here’s some basic information and advice you’ll want to make more widely available to your workers and IT staff:
- At work, never click on a link within an email purporting to be from a bank, airline, delivery service, or credit card company.
- Never extract a zip file from an outside address, especially from any of the previously mentioned types of companies.
- Employees should be trained to identify the domain names embedded within email addresses or website HTML. Often the hackers will obscure the top-level domain, but if they expand an email address or look at the underlying URL in the browser status bar, they’ll quickly see the domain name is different from the alleged brand name.
- Some companies have even run simulated phishing attacks to measure employee susceptibility—it’s an idea you may want to explore.
IT also has an important part to play in reducing or eliminating PII found in poorly permissioned folders and directories. Keep in mind that APTs generally don’t require elevated permissions to find and “exfiltrate” PII and other valuable data. IT’s goal should be to find sensitive data that has escaped out of more restricted areas of the file systems. Here are some tips for mitigating a breach:
- A good defensive plan is to regularly scan the file system looking for PII patterns in non-standard locations. PII definitions vary by industry—medical and financial in particular have their own regulations—so you’ll need to review legal definitions or industry-standard compliance rules in developing search patterns.
- It’s also critical that the data owners are in a workflow arrangement involving approval decisions for new users requesting access, and should regularly review existing users to remove those who no longer require access. In others word, the idea is to minimize the number of users who have access to sensitive data, and make it more unlikely that a random user targeted by a phishing attack will have access to PII.