Three Business Strategies that Increase the Likelihood of a Breach

Data is one of a company’s most critical assets. Business data informs decision-making, drives innovation, enhances customer experiences and provides a competitive edge. But what is valuable to a business is usually valuable to others. That is why data is usually the intended goal of a cyber-attack.

Before COVID, CISOs spent a good deal of time and money trying to keep data within the four walls of the business – where it can be controlled and secured. Today, we transfer more data than ever before outside of the confines of our secure corporate network. To destinations we have little control over, via networks we have little control over.

At the same time, cybercriminal criminals have ever easier access to sophisticated tools. Nation states are inclined to disrupt competing states through phishing and ransomware. All of which fuels an insatiable underground market for stolen data.

Data breaches are commonplace. Often with serious business consequences; termination of contracts, business reputation impact, fines or imprisonment. At its extreme, a breach could mean terminating the business. And it’s not just Personally Identifiable Data (PII – regulated by GDPR) or Protected Health Information (PHI – protected by HIPAA) at risk. Of more monetary value is information such as intellectual property, internal documents, emails, customer data, pricing lists, R&D, etc.

So, which recently adopted business practices are having the most impact on data exposure?

Data Exposure in Cloud Services

The adoption of cloud services has revolutionized business operations. At the same time, it has introduced new exposure risks to data.

The oft-discussed risks to cloud services data that everyone first thinks of, include such things as – where data is stored and how is it secured?, what is the likelihood of an insider attack or unauthorised provider user gaining access to the data?, account hijacking or stolen credentials, stored data being deleted, API vulnerabilities etc. Mitigating much of this comes down to contractual due diligence when selecting a supplier. Encryption can mitigate some concerns around data in transit. Hopefully rendering intercepted data as useless. But often encryption is dependent on the provider.

Less obvious, and often overlooked, is “WHERE is the user device attempting to send the application data to?”. Applications are trusted to such as extent that we overlook where egress data is destined.

Yet data destined to cloud services is open to exploitation through

1. 1. the redirection of sensitive cloud data to a compromised endpoint with the intent of deliberate theft
   2. the redirection of sensitive cloud data to a compromised endpoint with the intent to cause business disruption.

Most cloud services use publicly available URLs. These can easily be spoofed, such as by DNS re-routing, to allow a nefarious actor to intercept the data, or redirect a mirrored copy of the data to a malicious server. Many cloud services have an option to run as a desktop application, such as Microsoft Office or Google Drive. A single misconfiguration or vulnerability in the application, or the unerlying network (such as a firewall misconfiguration), may allow an attacker to compromise the data delivery destination.

Consider this from the point of view of using Microsoft cloud services. What data could an attacker gain by redirecting the synchronisation of an .OST file to a malicious endpoint? What user/business impact would come from intentionally forcing the synchronisation of Office365 to a black hole?

The correct way to prevent threats on outbound data is to challenge the destination of all transmitted data. Is the data transfer going to the correct destination IP address? If not, terminate the flow before it becomes a breach.

Data Exposure from a Hybrid Workforce

Covid inspire a revolution around where employees are prepared to work from. Today, staff expect to be able to work from anywhere – the office, home, hotel, train, airport, coffee shop. All of which are beyond the sphere of the IT/IS department’s control. Furthermore, staff also expect to be able to access the same sensitive data as they would from the office. A 2023 Pew Research Centre survey identified that, for jobs that can be done remotely, 35% of workers now opted to work from home full time. It also stated that 41% of employees have some degree of hybrid working during the working week. There is is some evidence to suggest that users are more susceptible to phishing attacks when working remotely, as cybersecurity awareness psychologically drops when outside of the office.

Again, the most obvious risks that first come to mind are things such as home Wi-Fi is typically less secure than the office, allowing man-in-the-middle attacks. Or, is the remote device receiving the most recent updates as an office device? Much of this can be mitigated by a good endpoint security solution. Good endpoint security typically provides enhanced visibility of devices, enforcing updates and some real time blocking of security threats. Simialrly, Data Loss Prevention (DLP) tools can detect data breaches from accidental exposure such as sensitive data sent via emails or posted to web forums. Today, many DLP solutions also include User Behavioural Analytics (UAB) that monitor which applications a users launch and what files they can access. Although one drawback of DLP is that the high cost per seat makes it prohibative to scale across an entire estate of users.

Less obvious is “WHERE is the application data about to be transferred to?”. Is the file or application data going directly to the HQ server or cloud service provider? Or is the data about to be sent somewhere it should not be?

A single misconfiguration in an application or a home router could put data at risk of redirection. Encryption via a VPN can mitigate some of the risk. Provided the user remembers to use it each and every time.  Older VPN protocols such as Point-to-Point Tunnelling Protocols (PPTP) are more vulnerable to abuse and should be replace with a stronger Layer Two Tunnelling Protocol (L2TP). Yet, VPNs can be easily bypassed. Not just bypassed by an attacker, but possibly by the application itself. (When it the lasttime you ran your VPN through Wireshark? If you haven’t you may be surprised about how little some VPNs send through their tunnel). In 2021, hackers caused a petrol shortage across the southern US by shutting down the Colonial Pipeline. They gained network access via a compromised VPN, encrypted Colonial’s data and requested $4.4m for the decryption key.

Data compliance can be an issue with remote workers. Regulations like GDPR, HIPAA and PCIDSS are all difficult to monitor remotely. Also challenging is monitoring and enforcing remote employee activities.

The correct way to prevent compromise of a remote worker’s outbound data is to challenge the destination of all transmitted data flows. Is the flow going to the correct destination IP address? If not, terminate it before it can become a breach.

Data Exposure in Supply Chains

Our interconnected world has enabled companies to create deeply integrated digital relationships with supply chains, through the sharing of business-critical data. On average, a company shares it data with around 730 vendors. Little surprise that 53% of companies have experienced at least on data breach caused by a third party.

Again, the most talked about risks are social engineering a supply chain. Cybercriminals masquerading as suppliers use social engineering to request changes to payment processes. The BazarLoader malware was used in a 2020 supply chain attack where criminals emailed employees to join conversations on platforms like Slack to discuss contract information, invoices and payroll. Third-party vendors are just as prone as other companies to malware or ransomware attacks. Venders are not immune to insider attacks, or human error that could inadvertently cause a breach. A single device or application misconfiguration or vulnerability at a supplier can provide an entry point for an attacker. The 2020 SolarWinds supply chain attack really highlighted the vulnerability in supply chains. The attack placed 33,000 of SolarWind’s clients at potential risk due to a backdoor that was maliciously inserted into a code update. In 2023, an attack on MOVEit is estimated to have impacted 600 different organisations. More recently, a Microsoft Blue Screen of Death issue on CrowdStrike’s clients cause outages at 100s of businesses across the world.

The unfortunate reality is that third parties are less likely to prioritise cybersecurity as high as you do. For reference, Enisa provides some good practice recommendations for supply chain cybersecurity.

Yet again, a less obvious but a potentially more damaging risk of potential data exposure can be found by asking “WHERE is the user’s device attempting to send the application data to?” Data breach throughout the supply chains could all but be eliminated by challenging the destination of all transmitted data. If the data is not destined to the correct destination IP address – terminate the flow.

Conclusion

Three common business practices may be exposing your sensitive business data to breach. Considerable budgets go towards protecting inbound data against attack. Yet little effort goes into protect outgoing data against breach.

Potential exposure from each of the three scenarios above could be prevented by implementing a zero-trust approach to each outgoing data flow. If the integritry of the data flow transmission is in question, for example the endpoint IP is not as expected, the flow should be immediately terminated before it becomes a breach.

This just leaves me to pose the question:     Do you ‘really’ know where your data is going to?