These days, it’s not hard to find news stories about personal, private and / or sensitive data being leaked or exposed in massive data breaches. An attacker found a way to get from an untrusted network into the POS system (Target, Home Depot). An attacker found a vulnerability in a website and downloaded a treasure trove of sensitive data (IRS, Equifax). An attacker sent an email and tricked a user into clicking it to install a virus (too many to count). Often, there’s also some discussion about the controls that could or should have been in place to prevent the breach. There was insufficient or no network segmentation. Patch management was lacking or non-existent. Data loss prevention (“DLP”) should have been in place to detect the exfiltration. Security awareness training to help users better identify phishing and other social attack vectors. All of these points are valid, but most controls will only go so far and your security efforts will only be as effective as the weakest link.
The image below was captured some time ago (I’ve waited so that it’s not immediately obvious to anyone that may be familiar with the engagement to identify it) and highlights a HUGE risk that no technical control can mitigate. The image shows a record system that’s logged on with complete access to sensitive data that was left completely unattended. With very little effort, it was possible to get ‘behind the door’ (from the waiting room into the treatment area, in this case) and move about freely to gain access to the system and, steal, modify or destroy the data. Ultimately, the organization was made aware and has reportedly updated their employee training but this is an excellent example of a gaping hole that no one seems interested in discussing.
As anyone who has followed our blog for any amount of time can attest, I am a fan of security controls (physical, technical and detective, usually in that order) but those controls can only go so far or do so much. Detective controls generally only tell you that something has happened (so the data is already impacted) and, in the case of a data breach, are too late. In this case though, no amount of physical (it was behind a locked door), technical (it was behind a firewall on a fully patched computer that required legitimate credentials to access) or detective controls would have prevented an attacker from stealing, modifying or destroying the data.
We definitely need to get better at network segmentation (don’t put a wireless access point for ‘guest access’ on the same segment as your workstations and / or servers). We definitely need to have a solid patch management (your servers should never go 3+ months without a reboot, your users shouldn’t have the option to ignore updates for months on end ‘because they’re busy’). We definitely need some way to see if sensitive data (PII, PHI, payment card data, etc.) is leaving our environments en masse. We definitely want to use phishing and similar tools to expose our users to social based attacks to help them understand how to identify them. All of these things are excellent tools that we can use to protect the data that we’re entrusted with but, as long as we’re literally leaving the keys to the kingdom left unguarded, we’re still exposed and all of these other efforts are just an expensive exercise in futility.