Do You Know Where Your Data Is?

The task of identifying assets that need to be protected is a less glamorous aspect of information security. But unless we know these assets, their locations and value, then how are we going to decide the amount of time, effort or money that we should spend on securing these assets?

Real case scenario

A former Dallas hospital guard was charged for breaking into the computers, planting malicious software and planning a distribution-denial-of service (DDos) attack.

The majority of the insider unauthorised activities involved a heating, ventilation and air conditioning (HVAC) system containing confidential patient information.

This HAVC was located in a locked room, but the insider uses his security key to obtain physical access.

The insider installed malware to allow unauthorised individuals to remotely access and take control.

The malicious insider activities caused the HAVC system to become unstable, which eventually led to outages.

The insider was caught after he posted pictures on the Internet of the compromised HVAC.

The case illustrates how a single computer system caused a significant amount of damage to an organisation. Modifying the HVAC could have potentially been life threatening.

The point is, the HVAC computer was located in a locked room, rather than a data centre or a server room. Secondly, If the organisation had fully realised the potential impact, it could have implemented additional controls to prevent this type of attack

The essential function of any organisation business is to understand it’s critical assets and to ensure its confidentiality, integrity and availability (CIA).

Critical assets can be thought of as something of value that which if destroyed, altered, or otherwise can cause major harm to the organisation.

Critical assets can both be physical as well as logical

• Facilities
• Technology
• Information
• People

A complete understanding of critical assets (both physical and logical) is valuable in defending against attackers (whether they are insiders or outsiders) who will often target the organisation critical assets.

The following questions will help you identify and prioritise the protection of your critical assets.

1. What critical assets do you have?
2. Do you know the current state of each critical asset?
3. Do you understand the importance of each critical asset?
4. Can you prioritise the list of critical assets?

Once critical assets are identified and prioritised, you must identify the high-risk users that interact with these assets.

A question that you must ask – What could a user that has authorised access to the critical asset do either intentionally or unintentionally to cause harm?

By answering this specific question to every critical asset will help you drive the right control and policies that need to be set.

Real Breach Example: Data leakage

Date of Breach: 16^th of October, 2019

Over 1.2 billion records of personal data have leaked online in a massive security breach. The leaked data contains email IDs, employers, social media profiles, phone numbers, names, job titles and even geographic locations.

The exposed data comes with an index which suggests it was essentially sourced from a data enrichment company called People Data Labs. The unprotected Elasticsearch server contained as many as 622 million unique email addresses, researchers added.

Your Next Best Step

Let’s start by focusing on one of your key assets – Data.

• What type of data is processed (medical information, personally identifiable information, credit card numbers, intellectual property, inventory records, etc)?
• How valuable is the data?
• What type of devices process this data (workstations, servers, mobiles devices, etc)?
• Where is the data stored?
• Where is it processed?
• Where is it transmitted?
• Which insiders can access this data?
• What malicious actions can insiders put this data ta risk?
• What unintended actions can insiders put this data at risk?

Answering these questions will help you to inventory the data and systems that must be protected from various attacks.

Data Discovery Scan Service

If you find the above a challenge due to time and resource constraints, consider that Naked Insider can offer this service for you.

While I’m guessing that you have reasonably good visibility and the idea of where your critical and sensitive data resides, you may not be aware of other sets of information. These ad-hoc data sets may have been generated over time and maybe sitting on someone’s laptop, but how would you know? And what is the risk to your business and your reputation?

The data discovery scan is a fast and easy way to scan your network and identify the precise files containing sensitive data and their location. The entire process can be completed within a couple of days.

What is the value to you?

• Develops a top-level data classification view of stored data. For example, all files containing credit card info, tax file info, Intellectual property, with the ability to drill down into each category to the actual file and its location.
• Detect wrongly classified and located sensitive files. Users tend to place sensitive files in wrong locations which might be unsecured. The scan helps to detect these files for protection.
• Identify key locations having the highest concentrations of sensitive files.
• Identify legacy data that should either be archived or destroyed based on compliance.
• Helps to identify all sensitive files and their locations which can be provided to each department head to ensure they have visibility of where their data is.

Interested?

Interested in finding out what the process is?

Interested in seeing a sample report?

Interested in knowing what your investment is?

Contact us at sales@nakedinsider.com  with a subject line “Data Discovery”