Breaches and Attacks that are "Not in Scope"
Last week, we saw Orange (a Telecom company based in France) compromised, with the info for 1.3 million clients breach. At this time, it does not appear that any credit card numbers or credentials were exposed in that event.(http://www.reuters.com/article/2014/05/07/france-telecomunications-idUSL6N0NT2I120140507)
The interesting thing about this data breach was that it involved systems that would not be considered "primary" - the site compromised housed contact information for customers who had "opted in" to receive sales and marketing information.
I'm seeing this as a disturbing trend. During security assessments, penetration tests and especially in PCI audits, I see organizations narrow the scope to systems that they deem as "important". But guess what, the data being protected has sprawled into other departments, and is now housed on other servers, in other security zones where it should not be, and in some cases is in spreadsheets on laptops or tablets, often unencrypted. Backups images and backup servers are other components that are often not as well protected as the primary data (don't ask me why this oversight is so so common)
The common quote amongst penetration testers and other security professions for this situation is "guess what, the internet (and the real attackers) have not read or signed your scope document"
It's easy to say that we need to be better stewards of our customer's information, but really we do. Organisations need to characterise the "what does our information look like" (with regex's, or dummy customer records that you can search for), then go actively hunt for it. Be your own Google - write scripts to crawl your own servers and workstations looking for this information. Once this process is in place, it's easy to run this periodically, or better yet, continuously. Put this info into your SNORT (or other IPS) signatures so you can see them on the wire, in emails, file/copy or file/save operations.
Too often the breach that happens is on a system that's out of scope and much less protected than our "crown jewels" data deserves. If you're in the process of establishing a scope for PCI or some other regulatory framework, stop and ask yourself "wouldn't it be a good idea to put these controls on the rest of the network too?"
===============
Rob VandenBrink
Metafore
Comments
Maybe it goes without saying, but I'll say it anyways: an absence of any required regulatory compliance at a company does not entail an absence of the applicability of these same security considerations.
Anonymous
May 15th 2014
1 decade ago
for which: (1) NOTHING is out of scope, and (2) That there is at least regular security verification/reviews, to make sure there is not data being stored there which is not supposed to be, that the system shouldn't be reclassified as holding important assets, AND that a baseline standard of security is met, and
(3) That is monitored for breach, just like other systems, to ensure "non-important" systems are not acting as a safe harbor for the bad guys to park, and then leverage to attack more important systems later.
Anonymous
May 16th 2014
1 decade ago