[BreachExchange] Plugging Third Party Data Leaks

[Destry Winant]

https://www.infosecurity-magazine.com/opinions/plugging-third-data-leaks/

Organizations are now connected to more third parties than ever
before. Not only does the average organization have hundreds or even
thousands of third-party connections, but each of these will have its
own complex web of suppliers. This means that an organization can
easily find itself exposed to a security threat due to a vulnerability
in a company four or five layers removed along the supply chain.

A recent example is the compromise suffered by Korean biometric
specialist Suprema. The firm’s technology was used by Nedas, which
itself provided access control systems to more than five thousand
different organizations, including the police, defense firms, and
banks. As a result, the fingerprints of more than one million people
were left exposed, alongside facial recognition information and
encrypted usernames and passwords.

The incident is just one of many that demonstrates how an
organization’s data is exposed to threats outside the control of their
own defenses. In order to operate in the interconnected digital world,
enterprises must equip themselves with the ability to identify and
mitigate these threats wherever they emerge.

The interconnected web of risks
The explosion in the use of cloud-based applications, in particular,
has greatly increased the number of third parties holding a company’s
data or accessing its network. Research has found that the average
large enterprise uses close to one thousand different cloud-based
applications, with many of these taking the form of shadow IT software
by individual users that may not be on the CISO’s radar.

Applications and services are often granted direct access to corporate
data, which means sensitive information can quickly spread across
multiple third parties outside of the network. While a firm can invest
in the best security defenses to protect their own corporate network,
they cannot ensure the same standards for their entire supply chain.

Implementing strong supplier vetting processes and adding specific
standards to supplier contracts will help to weed out many security
liabilities, but it is impossible to play gatekeeper for every
connection and prevent breaches within the thousands of other
companies.

Third party, first responsibility
The threat posed by a third-party data breach has grown in recent
times with the introduction of the GDPR. Organizations that are found
to have been negligent in their data security are still liable for
heavy punitive action by the regulators, even if the actual breach was
caused by a third party.

While enterprises cannot always prevent the loss of data through their
supply chain, they can mitigate the impact of a third-party breach by
gaining visibility over data outside of the corporate network.

Monitoring for breaches
First and foremost, enterprises need to know when their data has been
stolen or leaked outside of their own perimeter. This requires
real-time threat intelligence that accounts for multiple surfaces,
including Deep and Dark Web sources that are ordinarily hidden from
view.

Using targeted alerts for specific data sets will allow the company to
receive an immediate warning as soon as its data appears, whether it
has been stolen, leaked online or is being offered up for sale by
cyber-criminals. This will enable the security team to immediately
launch incident response activities, including notifying affected
customers, changing relevant login credentials, and locating and
closing the vulnerability that has led to the breach.

With such a vast number of sources to account for, breach alerts can
quickly become overwhelming if not managed properly. Combining a
multitude of sources into a single stream will make it easier to
monitor and prevent alert fatigue. Similarly, tuning monitoring and
alerts to specific data will help to reduce the number of false
positives, making it more likely that the alerts received by the
security team are relevant and actionable.

Plugging the leak
Valuable data sets such as customer databases can quickly spread
across multiple third-party connections, which means that even if a
breach is discovered, it can be all but impossible to determine where
it originated.

Firms can address this challenge by implementing a digital
watermarking system for all of their data. By imprinting a unique
watermark each time it is downloaded, the security team can quickly
and easily determine its origin, if it ever ends up in the hands of
criminals.

Organizations can then alert the relevant third party and ensure that
they take the necessary action to close any security vulnerabilities
that led to the breach. In many cases, this may even be the first time
the supplier becomes aware that they have suffered a security
incident.

Alongside breaches instigated by threat actors, tracking the origin of
leaked data can also help to expose poor practice by suppliers or
individuals themselves, such as the sale of customer data to data
brokers or criminals.

Narrowing the scope
Dark Web monitoring can also be invaluable for post-breach damage
control. If a set of stolen data is discovered and contains the
watermark used by a particular third party, the company will know that
the breach is limited only to the data that particular supplier can
access. This means they can concentrate on notifying only the
customers involved, rather than having to send an alert to their
entire customer base.

This kind of insight is particularly invaluable in the post-GDPR
world. Tracking down the source of a data breach to a third party will
demonstrate a high level of responsibility from the company and
potentially reduce both fines and reputational damage.

By equipping themselves with the ability to quickly recognize stolen
data and identify its source, organizations can help to reduce the
risks created by the interconnected business world and protect their
data, regardless of where it ends up.