teissTalk: Securing your sensitive data from exfiltration

 

On 6 June, teissTalk host Tom Langford was joined by Neil Hare-Brown, CEO, STORM Guidance; Prince Adu, Board Member - ISACA Accra Chapter, ISACA; and Darren Williams, CEO, BlackFog.

 

Views on news

Seven hospitals run by two NHS trusts have suffered serious disruption to their services as a result of a ransomware attack targeting a private company that analyses blood tests for them. Criminals are increasingly going for soft targets with high-value data, which has turned healthcare into the largest attack sector. The second one is education and the third is government – all three lagging behind in terms of cyber security. Cyber security should get now as high on the government’s agenda as physical health and safety has been for quite some time.

 

In the US, publicly trading companies have been recently mandated to have some sort of cyber security representation on their board. If governments start and continue regulating critical sectors, it will eventually trickle down to the private sector as well. The attack on NHS trusts is in fact another example of a supply chain attack. Today’s situation is also a result of IT budgets that have been kept low for decades, where cyber security was only one of the budget items. Organisations that have cyber incidents frequently spend less than 0.5% of their revenues on their IT budget. Ideally, this number on average should be between 3-5%, depending on the sector.

 

Explaining “cyber economics”, i.e., the cost of downtime for the business, etc. to the board can lead to more generous budgets. Close collaboration of the CISO and the CFO is essential to this approach. Businesses also need monitoring systems where they have visibility of their 2nd and 3rd parties’ cyber defences and can cut them off from their supply chain network if they create an attack surface. 

 

What data cyber criminals are after and where they get it from

Criminals tend to exfiltrate data primarily via endpoints. However, there are many different targets on the endpoint – phishing being the most common technique. Such an attack can lead to many things, such as escalating privileges or taking over the user’s machine. The breach may lie dormant for some time and then criminals will exfiltrate data during national holidays, when they are less likely to get caught out. One always has to assume that the bad guys are already at the backdoor. Typically, nobody is tasked with watching what data is flowing out.

 

The most typical path to data exfiltration is still account hijacking following the deceitful acquisition of credentials. Deep fakes now add a new layer to social engineering enabling cyber criminals to even join online business meetings. A new approach to detect exfiltration is to put canary tokens procured from vendors into company data and monitor whether it shows up on the dark web. Up to 98% of organisations can’t identify the data that has been exfiltrated when they get breached.

 

Start-ups offer services that establish the sensitivity of the data, as well as its location on the network. However, they can’t do this retroactively with petabytes of data that a business has accumulated. With good data governance, it’s easier to detect infiltration and remediate vulnerabilities. If you implement a DOP, you will know that your EDR doesn’t work properly and get alerts of C&C callbacks when an infiltrations is happening.

 

If good data governance is not in place, ransomware negotiations with criminals will also need to include the business getting information about what data has been stolen and its nature – databases, file systems, mailboxes, etc Criminals give an idea to victims regarding the nature of the data stolen by sending screenshots of it and information regarding which server they found it on. Existing security frameworks tend to focus on network security rather than data management. Nevertheless, businesses should have a clear view of the process of how internal users and third parties log into their system.

 

Blackfog, for example,  has a functionality that will show you what happened on your network overnight. Alternatively, just look at your log data, as bad things usually happen on the network while staff are sleeping. 

 

The panel’s advice

• Don’t sign contracts with solution providers that offer technologies that only run on legacy technologies. Procuring software that support current technologies makes patching much simpler as well. 
• Getting the board interested in cyber security is a bit like piquing cyber professionals’ interest for balance sheets. The language that the board understands, though, is centred around risk.
• Design a data strategy that can serve as a foundation to your cyber security programme.
• Start from a data governance perspective, which will guide the implementation of security and technological solutions and help with incident response too.
• Think before you click.