Saturday, October 15, 2022

4 Main Causes Of Data Leakages: How To Fix Them

 


Just yesterday, I published a new e-Book on AMZN. It is actually my end of year report, as it will be the last eBook for the year.  The topic is on data breaches, and how filling in the worker shortage gap could help eliminate some of these things from happening. 

The breaches are as usual from the past year, but data leakages was at the top now, when the previous year it was down towards the middle.

I have often been asked what a data leakage is, and how you really define.  Well, a data leakage is just that . . . data is being exfiltrated either intentionally or not, and is going out somewhere to a point of destination where it should not be going to.  You can easily compare this to a fluid leak in your car.  Obviously, you don’t want it to leak anything.

What is interesting to note that is that data leakage issues hardly ever occurred when businesses had their IT and Network infrastructures On Prem.  It only started to make waves once COVID-19 hit, and all businesses were (and are still) making the rush to the Cloud. 

More than likely, the Cloud migration was not properly planned, or it was not thoroughly tested before the deployment went live.

In this blog, we are going to take a further look as to the other catalysts of data leakages.  Here we go:

1)     Reliance upon suppliers:

We now live in a world that is totally interconnected with another, whether we like it or not.  Because of this, we are more reliant upon third party suppliers.  Gone are the days when you could meet any potential partner face to face, everything is now done via Teams or Zoom.  Because of this, the risks of data being leaked at your outside supplier are now even greater than ever before.  For example, suppose you outsource your payroll functions to a third-party vendor.  You really don’t need to meet face to face, any meetings can be held digitally.  Obviously you will be sharing private information and data (especially about your employees) with this processor.  You don’t know if they have all of the controls in place to protect all that data.  If they don’t, the chances of data leakage from happening are far greater now.  But here is the catch that you need to be aware of:  If anything does happen to this payroll processor, you will be held for any damages caused by the data leakage not, you!!!

2)     Misconfigured buckets:

Whenever you transition from an On Prem to a Cloud Infrastructure either on the AWS or Microsoft Azure, one of your first goals is to create a secure storage space in which to store your information and data in.  These are technically known as “storage buckets”, and in the AWS, this known as the “S3 Bucket”.  S3 is an acronym that stands for “Simple Storage Service.”  While it is a great tool to have and is relatively simple to deploy, many companies fail to configure their S3 buckets to their own security requirements and instead, rely upon the default settings that the AWS provides.  This has been a huge culprit in the data leakage issues surrounding these S3 buckets.  Everybody wants to blame Amazon, but the truth of the matter it is you, the CISO that should take ultimate responsibility to make sure that everything is configured properly.

3)     Poor source code:

Today, we are seeing source code being compiled in a way that is totally insecure.  For example, software developers often do not test the modules for any weaknesses or misconfigurations, or it they do, it is often done at the last minute, and very hastily.  Very often, open-source APIs are also used, which often have not been tested or updated with the latest patches and upgrades.  Because of all of this poor source code being compiled, a lot of backdoors are now being left open, for which the Cyberattacker can now penetrate quite easily into, and exfiltrate data from.  This is happens quite a bit, but you hardly hear about in the headlines, because nobody wants to admit it publicly and lose customers over it.

4)     No encryption being used:

This is essentially where you use a mathematical algorithm to scramble all of your datasets so that they remain in a garbled state, and is incomprehensible should it be intercepted by a malicious third party.  The only way that they can be made decipherable is by unlocking them with a private key.  In fact, encryption tools are already available with the major Cloud Providers, and it should be done automatically.  However many businesses are still naïve about this fact, and still store their datasets in a cleartext format.  So once that data is exfiltrated, a Cyberattacker can do anything that they want with it, even sell it on the Dark Web.

My Thoughts On This:

If you want a complete laundry list on how to mitigate the risks of data leakage, a simple Google search will suffice.  There, you will find a checklists and frameworks that you can use.  But for purposes of this blog, here is what would normally be recommended:

*Whether we are in the digital world or not, it is your responsibility to vet out each potential third party completely and thoroughly with whom you are considering with.  Make sure that their security policies and protocols that they have put into place is at least equal to what you have in your own business.

*Before going into production mode, always double check that your storge bucket settings are configured the way they need to be.  Do not rely upon the default settings!!!

*Testing the source code should be a no brainer by now.  After all, you are creating a portal for either your customers or your employees, and you have to make sure that that as far as possible, that there are no obvious backdoors that are open.  Testing of the source code should be done on a modular basis, so it all does not pile up in the end.  In fact, there are many automated tools that you can use as well to test the validity of the source code that is being compiled.

Finally, as you migrate to the Cloud, make use of a Cloud Services Provider (CSP).  They can help you plan the transition from beginning to end, and even help you with the encryption issues as well.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...