Well, here we are in June, at the halfway mark through the year. It’s hard to believe that the time has gone by so quickly. I usually don’t have too much time during the week to scour the news headlines, so I usually do that on the weekends.
Unfortunately to say, it is all the same headlines over and over again. In other words, instances of data leakage, PII being compromised, some attacks on critical infrastructure here and there, and yes, Cryptojacking still remains a potent threat.
But, in the end, who is to blame for all of this? Sure, we can always find fault with the CIO and CISO (the “buck” technically stops with them), but really in the end, it is all of us in Corporate America that are to blame, all the way down to the employee that is a road warrior and lives there. What am I talking about?
I am talking about leaving data files exposed to the open public. Although the news media headlines are scant in their details as to how the Cyberattacker actually launched and broke through the lines of defenses, the only easy for them to do this is by getting access to the data files that have been left exposed for some reason or another.
In my opinion, it does not really matter how well protected these data files are within an IT infrastructure. For example, they may be surrounded by the latest in firewalls and routers, but the fact still remains that these individual files were still left unprotected and potentially exposed. Remember, a Cyberattacker, can always break through a line of defense just given enough time.
This is the mindset that has been occurring today in Corporate America: throw everything you have at protecting your business from what can penetrate from the external environment, but don’t be worried about things that could be happening in on the inside. Keep in mind here that I am not talking about Insider Attacks, as these are very difficult to detect and even prevent (as I have written about previously).
I am talking about the simple steps that can be taken to protect your IT Assets within the organization. This can run the gamut from PII to customer data, and even your intellectual property. I have to put the disclaimer in there that organizations to a small degree have started to do this, especially with endpoint security and threat hunting. But these activities only look for threats that could lurking from the inside, they still do not address about protecting individual files.
My claims here are well substantiated by a recent study conducted by Digital Shadows, which has been entitled “Too Much Information: The Sequel”. Here are some of the trends that they have discovered, and they are alarming:
*The United States has the highest amount of unprotected and exposed data at over 326 million files. France and Japan also come in first in their respective geographic locations, with 151 million and 77 million files exposed, respectively.
*The File Transfer Protocol (FTP) and Resynchronization servers accounted for over 20% and 16% exposed data files, respectively.
*The Cyberattacker is actively attempting to exploit these kinds of file exposures More than 17 million files were hit by Ransomware, of which 2 million belonged to the NamPoHyu Ransomware, a variant of the MegaLocker strain.
But all is not total doom and gloom either. Here are some success stories that the survey found as well:
*The Amazon Web Services has just introduced a new feature, known as the “Block Public Access”, in November 2018. This has reduced the overall exposure of S3 buckets significantly. For example, there were 16 million files that remained unprotected in October 2018 coming from the AWS S3 buckets. Now, less than 2,000 files remain exposed, based from a recent audit.
*The recently enacted General Data Protection Regulation (GDPR) is now starting to have effect as well. Luxembourg and The Netherlands were the only two countries in the European Union which reduced their overall data exposure. But France, still has the highest number of unprotected files.
My thoughts on this?
In my opinion, there is no reason to leave files unprotected and exposed. Corporate America is flush with cash on their balance sheets in order to procure the mechanisms in order for this to happen. There is talk today amongst the C-Suite about how to spend money wisely when it comes to Cybersecurity. Part of the argument is learning how to place security tools strategically so that you can do more with less, to a certain degree.
This does makes sense. For example, the thinking has been that 10 firewalls are better than just 2. After all, more sounds, better right? WRONG!!! Having so many firewalls will only create a greater attack surface, and also have a huge hit to the bottom line. Instead, it is far better to have two 2 firewalls placed at the most strategic locations, which will have the same kind of impact as having 10 firewalls.
This line of thinking should also be resonated to protecting mission critical files. After all, the technology is out there, and it is cheap. It just all comes down to deploying and using the right kinds of encryption tools and training your employees how to use them properly. But once again, this has to come from the top brass. If employees have to do it, so does the C-Suite. There should be no excuse for that.
In fact, it should be a part of the Security Policy that regular audits must be conducted (I would say at least once a month) in order to see how many files still remain unprotected, and what can be done quickly to patch that up.
Of course, also, employees must be held accountable as well for encrypting any shared resources that they have modified, altered, revised, etc. This is especially important when an employee is working from home and is logging into the corporate servers from their laptop.
Virtual Private Networks (VPNs) must be used, as well as Two Factor Authentication (2FA, but of course the more is better). In this instance, using some sort of Biometric (such as fingerprint and/or iris recognition) and a token (like the ones made by RSA).
Remember, companies like to blame employees for being the weakest link in the security chain. But in this case, the C-Suite are also employees, as well as the data files that go unprotected for long periods of time.
Finally, the study can be seen here at this link: