Image for Security Fridays: Week 11

Security Fridays: Week Eleven

How to protect your data against increasing cyber threats

This recent breach really helps to emphasise that threats are constantly evolving, a landscape that needs to be given credit where credit is due. Some still see them as groups of spotty youths sitting at home coding malicious little things for fun and we sometimes still treat them that way. Hopefully this sort of attack reminds us that in many ways the threat actors are at least as capable as many security vendors and as a community, in some ways they are much better interconnected.

Here we have a group that in sixteen months earnt a great deal of money. I’ll take their claim of $2 billion dollars with a pinch of salt, as they have a product they want to market, but it’s fair to say they have made considerable amounts. Then they have either gone away and re-invested their money in a new attack, or sold off their code and rights to someone else for even more money.

To put this in context, McAfee posts around $2.5 billion turnover itself. So this should reflect just how much value there is in this marketplace for criminals and just how seriously we should be taking it. This situation also poses a few questions about security that should be asked in these situations. How was it that anyone was able to access that much data without being detected?

We often get caught up in the latest and greatest security tools and the idea that we need the most advanced threat protection to have a chance against these sorts of advanced capabilities, but there’s an argument about going back to base principles. Effectively all attacks need to do certain things to have an effect. It’s always a good idea to look at ways to include these in your security model.

So for example:

1 – Ransomware or thieves have to actually access files to encrypt or steal them. So what accounts have permissions to access data? No single account should ever have the option of touching all the sensitive data in a business. Not even administrators should have the capability of touching all data across estate. This removes the easy way for an attacker to access everything.

2 – Access to data should also be monitored, it is a detectable interaction so questions should be asked in this case as to how any account or devices was able to access this amount of data without being detected. Over 700 GB of data affected and infiltrated without it being noticed at the data storage or perimeter level suggests there is an intrinsic problem with data monitoring that should maybe be looked in to.

3 – Data you don’t hold can’t be breached. Did all that data really need to be held in easily accessible storage? Could some of it have been moved to offline archives? Did they have a data lifecycle plan where old data that is no longer needed is either archived or destroyed? An organisation should constantly be looking at what they are holding, why, and when that data should be removed. By removing what you no longer have need for and keeping a tight control on what you store, you reduce risk and liability if the worst does occur.

Read the article that was analysed here: https://threatpost.com/revil-ransomware-attack-celeb-law-firm/155676/

Category: Industry News

Data Security Awareness

Chris Cassell

Chris Cassell, Technical Specialist

Working in the IT industry for seventeen years in a variety of roles from helpdesk (where we all started) through desktop support up to Technical consultant. Chris’ specialisms lie in network security, design and analysis.

Identity Access Management

Identity and Access
Management

(IAM)

Making the complex simple.

Effective, secure IAM for all your business challenges.

Learn more about SecurEnvoy IAM
 
Cyber Security Blog

Hear more from
our security
experts

Sign-up today

What to read next...