(The Dirty Dozen) x2

by guest writer Chaz Sowers 

The subject of data leakage or data breach is a continuing issue in the life of the Information Security Professional.  Having addressed dozens of these events, there seems to be several common factors, or oversights, that allow the behavior or vulnerability that was eventually exploited. This article is my attempt to aggregate of those factors into a checklist that can be used by others.

 It is provided in hopes that you may learn something new and potentially avoid the common pitfalls that facilitate the manifestation of one of the greatest fears of the security professional: A Data Breach of Sensitive or Confidential Information!

Listed below are my (Dirty Dozen) x2: twenty four of the most frequently observed oversights that can result in the leakage or breach of confidential/sensitive information.

Insufficient Efforts in Security Training and Awareness for End Users - Users are not trained sufficiently to recognize “spear fishing” attacks, or to take appropriate actions once an attack is identified;

Local Storage of Data - Data (even sensitive data) is stored on the local hard drive and not on a system server where it can be monitored and controlled.  This same issue also creates an issue for proper backup and restoration. But that is a different topic for another day.;

Lack of Centralized Access Control Mechanisms - No centralized network administration; each business unit “does its own thing” in terms of Network Admin and Security;

Lack of Network Zoning - The computer network is a “flat” network, meaning that there are no “secure enclaves” or other components that limit user access from one part of the network to another (once the perimeter defense has been breached, “walking” the internal network is a trivial task);

Weak Perimeter Defenses - The perimeter defenses  are weak or lack sufficient depth to deter a rudimentary attack.;

Lack of Detective Controls (Logging)- There was no way to determine what data, or how much, left the enterprise because logging had been disabled on networking devices as well as on servers;

Lack of Detective Controls (Monitoring)  - The organization lacks any method of detecting if an intrusion has occurred because they do not have the necessary equipment or it is not programmed properly (How many enterprises out there think that because they have SNORT installed, they are secure?  But are the rules set so low that it never sets off alarms as we have seen time after time?  Or worse, does a rootkit or malware infection predate the SNORT installation?  If so, then the traffic from the malware will be lost in the normal “noise” of the network);

Lack of OS Hardening - Operating System installations, from servers to laptops, are “standard” installations of Windows which emphasize ease of use over;

Organic Growth - In order to connect several disparate and geographically separate business units, an ad hoc network was established which emphasized expediency rather than  proper design and security;

Ad-Hoc Incident Response - There is not a dedicated Incident Response Team in place within the organization;

Lack of Formal Security Policies - Security policies, procedures and practices are largely nonexistent; 

Lack of Formal Roles and Responsibilities - Roles, responsibilities, and authority to deal with a data breach are not defined prior to an event.  Without clearly defined roles and responsibilities, any Incident Response quickly spins out of control and becomes an Out of Control Incident Response.  OoCIR is worse than no Incident Response at all;

Lack of Formal Communication Plans - Chain of command for data breaches is unclear within the organization.  The IR Team is unsure whether the CIO or CSO or COO is ultimately responsible or a worse scenario is where members of the in-house CIRT report up different organizational units;

Lack of Centralized Security Authority - Business units have a great deal of autonomy, and since they are not directly effected by the data breach their responses to questions and inquiries are not received in a timely manner or perhaps at all;

Lack of Network Access Control (NAC) - There is no “end point security” for users laptops, meaning that anyone can plug in anything into the USB port on the computer;

Virtual Security Organizations - The CISO or ISSO has no direct full time staff but rather some other IT staff are tasked 25% to IT security;

Lack of Network or Data Classification – The organization has no listing  of critical assets so the Incident Response Team had no idea of what assets an intruder could access and remove.  It is impossible to protect the corporation’s most valuable data if no one knows what it is or where it is stored;

Lack of a Best Practices Framework as a Basis for Security Policies (CoBiT, ITIL, NIST, etc):  Without such a framework, policies tend to be “ad hoc” and “reactive” rather than “proactive”;

Obsolete Technologies – For example, the  continued use of NetBIOS as a communication protocol or that old Windows NT Server that hasn’t seen a security patch in the past 3 years;

Failing to Harden Servers – Though this is a generic statement, the one factor that continues to surface in a data breach is servers that accept NULL sessions;

Confusion - The organization has recently undergone a merger, acquisition, or major reorganization;

Irregular Security Assessments - No one can remember when the last security assessment or security test and evaluation (ST&E) took place;

Improper Network Segmentation – As unlikely as it would seem, there are still organizations that allow publically addressable and accessible servers on the corporate LAN;

Failure to Observe the Concept of “Least Privilege” –  For example, users are Local Administrators on their computers.

Conclusion:

It is my hope that you did NOT find a great deal of commonality between this listing and your organization.  However, if there were a few items that hit close to home, here is how I would interpret the results:

Less than 5:  Congratulate yourself because you are among the top 5% of the most secure organizations that I have seen;

6 to 15: While your organization has some weaknesses and could certainly be improved, you are about normal and among the middle 60% of all businesses in my experience;

16 –22:  Your organization has serious weaknesses and your CISO definitely has his or her work cut out for themselves.  If a program isn’t already underway then a baseline ISO/ 27002 assessment would be a good place to start.

23-25:    I won’t say that you are in trouble…but you are.  It is time to act before your organization becomes the preferred victim for the hacker community.

I hope that this article has provided you with some insights and value for your own security efforts.  Your comments and feedback are welcome.