Data exposure is one of the greatest risks facing an organization, loss of data can come through a number of different means, intentional and unintentional and can impact various types of data including Personally Identifiable Information (PII) as well as Intellectual Property (IP). Loss of data can affect credibility of an organization, competitive advantage, positioning in the marketplace and lead to sales loss. In fact, over 60% of small and medium businesses that experience a data breach are out of business within 6 months. Intellectual property is a casualty of data loss that is often understated. Loss of IP can affect competitive advantage, time to market,
Threat Vector Examples:
The threat vectors listed below could result in access to sensitive data including PII and IP.
- Compromised Credentials – credentials can be compromised in a number of ways, unintentional sharing through phishing attempts or malicious web links, key loggers.
- Weak Passwords – appropriate password complexity should be utilized, weak complexity enables brute force attacks and social engineering attacks
- Malicious Insiders- Many types of data loss are initiated through internal sources. Over 60% % of data breaches are initiated internally, including through intentional and unintentional means.
- 3rd Parties – 3rd parties and vendors are an extension of your supply chain.
- Malware/ransomware – malware and ransomware within a network or on a device could be capturing credentials, sensitive data or locking data and holding this data for ransom.
- Misconfigured Cloud Providers – a lack of properly configured controls in a cloud, hosted, SaaS, IaaS or PaaS environment could result in accessibility to sensitive data
- Lack of Encryption – Weak or no encryption enables accessibility to sensitive data in clear text.
- Phishing – phishing and spoofing refer to the misrepresentation of someone or a something, attempting to get credentials or sensitive data through this misrepresentation
- Trust – Leveraged for attacks when a trusted relationship exists within a domain or between two entities including (users and devices).
- Distributed Denial of Service (DDoS) – This attack attempts to prevent access to an application, server or website through a high volume of intensive activity. This could then create a buffer overflow situation exposing credentials or sensitive data.
- Brute Force – This attack utilizes repeated attempts to break a password or encryption, it crosses many of the attack vectors already identified.
- Zero Day Vulnerabilities – This is a vulnerability that nobody is aware of until the breach happens (hence the name zero day, as there is no time elapsed between when the attack happens, and the vulnerability is made public).
There are a number of strategies that can be leveraged to help with protection against Data Loss.
Understanding an organizations network perimeter and attack surface through a complete asset inventory allows development of a protective plan that encompasses all technologies within the (extended) perimeter. The asset inventory together with the data inventory raises awareness about the threat vectors that are concerning and assists with the prioritization and mitigation of vulnerabilities. The asset inventory also enables the implementation of a patching and vulnerability management process to protect the technology assets of an organization.
Providing multi-faceted Identity and Access Management for assets, systems and data helps defend against unauthorized access, misuse and potential theft of data. This can be accomplished by taking actions such as;
- Ensuring a userid does not enable intuitive determination of job level or responsible
- Following the principle of Least Privilege, ensuring that only access to data required to perform a function
- Password Protecting credentials with appropriate password complexity including including 10 characters, a combination of Upper and Lower Case as well as special characters. An even stronger strategy would include the use of Pass Phrases incorporate the character requirements identified.
- Management of privileged ID’s including a separation from regular use ID’s, reset of admin passwords and auditing and logging of privileged ID use
Implementing Multi-Factor Authentication adds a layer of protection in addition to user credentials forcing the use of 2 of 3 of something you know, something you have and something you are.
Encryption of data in motion and data at rest – Implementing appropriate encryption standards for data stored within your network, application access as well as across your communication and network channels provides a layer of protection at the data layer or communication layer.
Implement a Vulnerability and Patch Protection strategy – ensures vulnerabilities are tracked and addressed ion alignment with internal commitments, assists with the prioritization of those vulnerabilities, assists with the ability to prevent and respond to vulnerabilities and attacks.
The regulatory environment is a critical consideration when it comes to protecting your data. Government or industry regulations may define specific protection mechanisms that need to be in place, they may also help you understand risks and controls around data residency (location of data).
Taking a zero–trust approach to accessibility to devices, applications and data on your network helps ensure access to critical data is secured and mitigates the potential that a threat actor can gain unauthorized access and subsequently pivot and access data in an alternate location on the network.
Understanding the value of data and putting in place multi-faceted protective mechanisms around that data can help ensure survival in the event of a data breach or compromise. Every action that is taken by an organization provides one more hurdle for threat actors to overcome.