By Mike Buckley | Presales Security Consultant at Nettitude
There are a few important principles that should be keeping a responsible CIO/CISO awake at night. Most certainly, one of those would be the loss or leakage of business-critical data such as customer Personal Identifiable Information (PII) or financial details. One of the primary functions of their role is to recognise this and put into place processes and technical controls to lower the risk of that data being exposed. We only have to look in the media to see numerous examples of data breaches. Threat actors as we now call them have been trying to access data of various kinds stretching back into the 1980s when modems connected everything together. Unfortunately for the CIO/CISOs of today there are compliance frameworks such as GDPR which firmly put the burden of responsibility on their shoulders.
Data Protection Challenges
We know from our efforts in our lengthy red team testing that protecting data against an advanced and persistent group is incredibly hard to achieve, however we still find common denominators that our offensive team can exploit. From a technical perspective only, these include:
- Lack of robust patching
- Weak authentication configuration
- Overly permissive access controls
- Lack of visibility of user behaviour
- Poor prevention capability
- Weak data control
An interesting comment from one of our senior team members “If we’re going to get caught it’s typically by some kind of deception technique”, but that’s for another blog.
The technical solutions really are not too difficult to address if tackled in an appropriate manner. The challenge is the “appropriate manner”, we often see security teams trying to fix these issues with various point solutions and getting lost as vendors compete with each other for the sale. We prefer a much more strategic approach and may recommend a framework to bind together the efforts and provide a clear roadmap that can be worked to. Depending on the security maturity, this may start with Cyber Essentials/NCSC Ten Steps or it may be more appropriate to look at a more advanced framework such as PCI-DSS. There are plenty of areas to consider:
- Endpoint Protection
- Multi-Factor Authentication and Identity Control
- Email and Web Security
- Cloud Security
- Network Security
Also worth noting is the effort required to maintain all the different technical products and keeping them “fed and watered” so that their configurations remain current and they are monitored for alerts and suspicious behaviour. There’s also the barrier of “oh no, not another agent” from the IT Support teams.
One of the major challenges of data loss protection is preventing an insider, or somebody who has breached security successful from exfiltrating the data from the secure environment. Now we start to think about technical data controls such as Data Loss Prevention (DLP). So, technically, DLP is really quite straightforward to implement, it can protect data at rest and data in motion. Unfortunately, that is where any notion of DLP being straightforward ends. DLP solutions that have been implemented effectively and are used by the business successfully are few and far between. There are many, many challenges to overcome and often it requires a shift in culture in how the whole business views data control and the responsibilities for it.
Most businesses are using technical data protection solutions to fix a variety of security requirements, these all need looking at in a strategic way to ensure that they are giving value for money, and crucially protecting the crown jewels of critical data. Given our continued success in silently penetrating defences with our offensive engagements, all security controls can only be viewed as lowering the risk off breach and data loss. Guaranteeing critical data isn’t leaked is a fools errand, fortunately this is now accepted and “when not if” is the fate that IT teams are resigned to.
To find out more about what Nettitude can do to address the problem of data protection, take a look at our cyber strategy & data protection services.
Ready to get started? Get in touch with the team here.