Recently, in a CISO therapy session, a friend of mine asked the group to explain what the worst outcomes in cybersecurity we could imagine are. It was an interesting request as it forced us to synthesize the bundles of figures and trends we juggle in our heads from studies, white papers, polls, and the cyber-ghost stories sales people tell. What follows is a distillation of that conversation into a few discrete risks. Unlike many other blogs, white papers, and reports, these risks are not based in polling data, statistical analysis, or analysis of any one event. Instead, these are (in no particular order) the deeply visceral, slightly terrifying anecdotes that people whose livelihoods rely on cybersecurity tell each other around the campfire with flashlights shining under our faces.
Bad Database Engineering
This nightmare goes something like this. You receive a call in the early hours of the morning that your firewall detects a server in your environment sending bursts of traffic to an unlisted IP in a foreign country. The server in question operates on multiple critical segments of the network and has access to multiple databases kept sperate to keep user’s personal information separate from user’s identities. After investigation, you realize that the server has sent out multiple human readable tables including one that contains the unique keys for users.
This is the absolute crown jewel of hacks because it involves failure at such a fundamental level.
Disregarding the perimeter defenses that may or may not be in place, here is what may have failed and what to do about it. The data in the databases were not encrypted allowing attackers to read the personal information in the databases. Encrypting the databases either at the field level, or at the disk level would have made it much more difficult for the attackers to read the databases. Additionally, traffic to and from the database applications should have been restricted to application traffic only. There should not have been the ability to pass entire files from the databases to the server. Closing ports not associated with your database applications could have prevented this. Finally, the databases were separated so that personal data and the subject of the data were not in the same database. This is great practice, but the impacted server could access both databases circumventing the control. To solve this, where possible, don’t use personally identifying information in your application. If you can infer who a person is from information, try not to use it or keep it.
The scariest scenario is one where you have no warning, your data is found on the dark web, and is attributable to you by the unique keys. In that case, your data was probably exfiltrated through misconfiguration of the application. To solve this scenario, make sure all users with access to the database have properly configured permissions. Also make sure that all users of your application are also considered users of the database so that you can ensure each user has the fewest access rights that they require.
Supply chain attacks are among the scariest because they make you feel powerless. Some of the most impactful third-party breaches occurred when a vendor or business partner did not properly secure a password for the company’s environment. Make sure that you regularly assess your third parties and pay special attention to their access controls. Are they storing passwords to your environment? Are those passwords hashed and protected in an encrypted vault?
Another disastrous outcome is a third-party breaching the data they store for you. Make sure you assess your third-party data services before you use them. Make sure you also know where and how they store your data. Maybe they send it to another company, who sends it to another company, and so on until you’ve completely lost track and control of your data. Make sure you cover where your data resides upfront and put those requirements in the contract so you always know where your off-premises data is stored and processed.
Whatever is Going on in Your Email
Out of all the systems in your company, email is among the scariest due to the near constant barrage of gut-punches it can throw your cybersecurity practitioners. I guarantee that the number of users who will gladly pass their credentials to the U.S. Government Password Inspector is higher than you expect. Combine that with near relentless spoofing and phishing attempts and you never know what could happen. Popular phishing techniques will go after your C-Suites credentials or convince your developers to click on malicious files. Ransomware, adware, and worms are all spread this way, and provide criminals and nation states the precursors to even larger hacks.
Your best bet to tackle the email risk is education. Teach your users to not click links, open unexpected attachments, enter credentials, or communicate with people they know at strange email addresses. Beyond that, implementation of an email gateway that has a reputational filter to screen emails will alleviate a ton of worry. Also consider incorporating an email sandbox that opens and analyzes email attachments prior to delivering them.
These 3 bone-chilling scenarios are just a taste of what keeps CISOs up at night. If you are interested in learning more, I will be hosting a webinar about some of the biggest third-party breaches, and I will definitely be touching on these topics. Register here to learn more.
CHIEF INFORMATION SECURITY OFFICER