[BreachExchange] Don't overlook these two hidden risks to your corporate data

Tue Apr 26 21:53:22 EDT 2016

http://www.techrepublic.com/article/dont-overlook-these-two-vulnerabilities-of-corporate-data/

Ever since Hackopcalypse 2014, which included data breaches on the likes of
Sony and Ebay, corporate security teams have had to spend each day proving
to colleagues, customers, and shareholders that internal data will remain
private and secured. But even though "Super Duper Enterprise A" may have
the best firewall hardware in the market and the best intrusion detection
software available at a premium, two critical vulnerabilities are waiting
to pounce: corporate vendors and internal colleagues.

Corporate vendor security

Just because you're Super Duper Enterprise A, that doesn't mean you don't
do business with the local SMBs. Besides boosting community morale and
economy, it's convenient to have some services available to your company
locally. The weekly doughnut and bagel day, the spring and summer barbecue
lunch, and the annual holiday party are all events sponsored by corporate
dollars and contracted through the local vendors. The data your SMB
partners have in hand may seem minimal, but it's still critical corporate
data. Contact information and services rendered may be valuable to an
individual who hacks the SMB's network. As an InfoSec professional, you
know what measures you have in place—but what about the SMB? The extent of
its security depends upon available resources and what's affordable for it
to implement.

For example, having a lunch meeting with your department heads exposes
corporate data for colleagues paying with the company credit card. As the
card is given to the wait staff for handling payment, the server walks away
with the bill leaving everyone to assume the card won't be run through a
credit card skimmer. Or maybe the invoiced data the vendor owns is stored
on an old, patchless Windows XP computer. These risks are quite possible.

Internal colleagues and staff

I've mentioned previously that internal IT department members are the worst
users on the corporate network. But that doesn't mean that all other
departments in the enterprise are immune to security threats. Think of some
of the more stressful times in your organization: the dreaded
quarter-close, year-end, and year-start. Each of these calendar events is
stressful and rich in data. When it comes to the technology black market,
data is a valuable commodity.

An overworked staff accountant may be in the weeds trying to get the books
closed. An urgent email hits his inbox. "The CFO is demanding the latest
payroll journal to determine the executive bonuses." Being an obedient
staff accountant, he sends the spreadsheet to the "CFO." Sadly, the email
requesting this data was spoofed. This means some nefarious individual now
has private payroll data of all the executives in the company.

When it comes to internal colleagues exposing sensitive corporate data,
it's all about timing and pulling the emotional strings. Along with having
the technical skill set to spoof a business's email address, the attacker
executed the data breach beautifully by understanding the time of year and
knowing who to target at a busy time. The accountant's inbox was
potentially flooded with deadline notifications and requests, which created
a stressful environment. This makes for an easy target.

The same principles can be used outside email. Hang out in the hallways and
lobbies of an enterprise. Colleagues discuss the woes of the day quite
regularly, regardless of who might be walking by. Someone may even pose as
a facilities service technician and listen in on complaints about systems
or software being used by the company.

"Our SuperFab CRM software is horrendous," one colleague says. "We're still
running an older version and haven't been able to upgrade."

To an average bystander, those sentences might mean nothing. But to a
person keen on network intrusion and data theft, this is critical
information. Knowing what software is place for a company is a tiny window
that can get opened. That tiny window can lead to other breadcrumbs of
clues. This corporate environmental data can prove to be valuable in the
right hands—all because employees decided to rant about their day at work
in public.

What can you do to manage these risks?

Unfortunately, there's not much you can do about how your vendors handle
data. If you have concerns about a vendor's best practices with your data,
you can diplomatically suggest more effective procedures and explain the
risks. Or you can sever all ties with said vendor in your company's best
interest.

Managing the risks with internal colleagues can be addressed through
internal communication and training. You can send company-wide emails—but
understand that emails coming from the IT department are ignored even more
than emails from a Nigerian Prince. I suggest taking the measures to upper
management. Advocate the use of mandatory online training or a few Webinars
that require the internal colleagues to sign up and confirm completion
electronically. Doing something like this two to four times per year could
plant a seed in the minds of the internal staff showing just how serious
the company is about private data.

Other suggestions?

Securing your corporate data with hardware and software is a must, but
understanding the risk associated with environmental data is just as
critical. What advice do you have on managing the corporate data shared
with vendors and among internal staff?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160426/90315cbf/attachment.html>