Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

Episode #37 Keeping Your Data.. Your Data

From PII (Personal Identification Information) and PHI (Protected Health Information) to intellectual property and sensitive business information, the guys talk about how to keep your sensitive data from leaking to the outside world.
While there is no single answer, they cover both technology and governance tips to keep your data where it belongs. Plus, they rant to everyone, "Don't be a data hoarder!"

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines

Biden Orders CISA and NIST to Develop Cybersecurity Performance Goals for Critical Infrastructure

A Record Year for Cyber-Attacks That Impacted Society

Even After Emotet Takedown, Office Docs Deliver 43% of All Malware Downloads Now

This part of the news wouldn’t be possible without Microsoft….

New PetitPotam NTLM Relay Attack Lets Hackers Take Over Windows Domains
Microsoft Releases Guidance for Mitigating PetitPotam NTLM Relay Attacks

Lockbit Ransomware Now Encrypts Windows Domains Using Group PoliciesChinese Hackers Implant PlugX Variant on Compromised MS Exchange Servers
Microsoft Teams Now Automatically Blocks Phishing Attempts

But to be fair……

Apple Patches Zero-Day Flaw That Hackers May Have Exploited

 

10103417-small

Send Us Your Questions & Rants!

welcome to the cyber rants podcast where  we're all about sharing the forbidden  
secrets and slightly embellished truths  about corporate cyber security programs  
we're ranting we're raving and we're telling  you the stuff that nobody talks about on their  
fancy website and trade show giveaways  all to protect you from cyber criminals  
and now here's your hosts mike rotondo zach  fuller and lauro chavez hello and welcome to  
the cyber ants podcast this is your co-host  zach fuller joined by mike rotondo and lauro  
chavez how are you guys doing it's been a good  probably 10 hours since i've talked to you
same as before well today we're going to  be even better because we're talking about  
protecting your data and really keeping  your data your data right so it's really  
about a loss prevention right all kinds whether  it's you know pii or phi financial information  
intellectual property uh it's yours you need to  keep it and safe harbor that so before we dive  
in though uh as is our traditional method  mike you want to kick us off with the news  
yeah there are a couple headlines that i'm  gonna go into and then there's a couple of um  
headlines brought to us by microsoft which  i'll touch on later in order cisa and nist  
to develop cyber security performance goals for  critical infrastructure uh basically the president  
sent a memorandum on wednesday addressing  cyber security for critical infrastructure  
that would include the energy grid water that sort  of thing and basically the idea is to establish a  
set of governments stated and defined minimal  cyber security criteria for these industries  
in order to stabilize and centralize it we'll  see if it happens a record year for cyber attacks  
impacted society uh basically 2021 is already  proving to be a record year for cyber attacks  
solarwinds attack the colonial pipeline attack  the exchange attack uh the jbs meat attack and  
so on dark side obviously is a russian state actor  which is responsible for the colonial pipeline and  
solar winds the chinese have been implicated in  the exchange attacks and hacks which led to the  
unprecedented action of the fbi going into  vulnerable servers and removing web shells  
without the owner's knowledge or approval it's not  so much that the cyber attacks are particularly  
sophisticated but that these attacks are having  societal consequences that no one anticipated  
there's also the rise of geopolitical tensions  that is evident through the neighbors of these  
cyber attacks including the president talking  about it turning into potentially a shooting  
war that's something to definitely watch weird  stuff going on with that yeah even after emmett  
takedown office docs deliver 43 of all malware  downloads now according to netscope which released  
its cloud and threat report the average company  with anywhere between 500 and 2000 employees now  
deploys about 805 distinct apps and cloud services  with 90 of those being unmanaged and awfully  
freely often freely adopted by business units and  users which is a little scary the report noted  
that cloud storage apps account for more than 66  percent of cloud malware delivery in q2 2021 43  
of all malware downloads were malicious office  stocks compared to just 20 percent of the 2020.  
collaboration apps and development tools account  for the next largest percentage as attackers  
abuse popular chat apps and code repositories  35 of all workloads are exposed to the public  
internet with the navy aws azure and gcp with  that with public ip addresses that are reachable  
from anywhere on the internet and lastly rdp  servers have become a popular information  
infiltration vector excuse me they're exposed in  8.3 percent of the workload so long story short  
there's a lot of risk out there button up your  apps which uh something we're going to talk about  
in a little bit finally the microsoft part of  the news new petite potem ntlm relay attack lets  
hackers take over windows domains microsoft does  release a guidance for mitigating petite potem  
ntlm replay attack relay attacks and as of this  writing or reading they had not released a patch  
but it is just a workaround lock bit ransomware  now encrypts windows domains using group policies  
checker chinese hackers implant plug x variant  on compromised ms exchange servers and lastly  
microsoft teams now automatically blocks phishing  attempts we'll see how long that actually lasts  
and to be fair and balanced apple patches zero  day flaw that hackers may have exploited the patch  
comes mere days after another update that tackled  formal 14 vulnerabilities so that's the news lauro  
yeah thanks mike wow gosh you know microsoft said  you know hey i you know i want i want to retract  
my statement when you ask me at the beginning  how am i doing today fantastic you know why guess  
who's not in the exploit news this week yeah that  uh that sit boy rick from 1981 and his uh t-top  
camaro wordpress he's not there this week but  i don't tell you who is i'll tell you who it is  
yeah i know i had to look twice i was like  wait a minute really really there's no  
there's no new uh there's any crazy drugged out  plugins that he's dating so we got php 7.3 this  
is this is pretty interesting right so if you're  running php 73 make sure you should be well beyond  
eight at this point right but if you've got 73  for some reason look into this because there's  
a session upload progress that basically abuses  the ability for the session to handle that data  
from its source and so you can you can do data  injection with this exploit if you can get the  
session id i'll say that right so there's there's  got to have that missing puzzle piece but if you  
can get the session id you can inject arbitrary  data with this exploit and to uh detail on  
to mike's news newsletter to save the uh the  lowest of the group for last microsoft sharepoint  
server 2019 if you're still running that please  make sure you don't expose it and uh internally  
you're going to have remote code execution  capabilities with that version so make sure  
that you've got that at least patched the latest  but if you're running the oh 720 version of it  
you're gonna be you're gonna be surprised okay and  that's pretty much it for exploitation this week  
zach what are we talking about today comic books  or well i um beached house i figured we'd talk  
about beach towers and it's an important it's an  important thing to understand this right this time  
of year this time it sure is um big lots lots  lots of big sales going on for those want even  
more cyber rants be sure to subscribe to the cyber  rants podcast get your copy of our best-selling  
book cyber rants on amazon today this podcast is  brought to you by silent sector the firm dedicated  
to building world-class cyber security programs  for mid-market and emerging companies across the  
us silent sector also provides industry-leading  penetration tests and cyber risk assessments  
visit silentsector.com and contact us today we  need to talk about keeping your data your data  
right because that's something that comes up a  lot now there are certain organizations that have  
things that the data that's basically their  competitive advantage right that is their  
secret sauce um what they need to protect  their intellectual property right their trade  
secrets that really keep them ahead and a lot  of times their business is based on protecting  
that so that's obvious that you know for for  obvious reasons um they can't let that out there  
um but there are plenty of other companies out  there even that don't have that intellectual  
property they're worried about but they do have  pii phi um they have credit card data those types  
of things so they need to keep it internal right  they need to keep it where it belongs and there's  
lots of ways that data leakage can occur data  theft from not only outside the organization but  
of course within it the the malicious  insiders or the um well-meaning but unknowing  
employee right that just compromises or leaks data  so let's talk about that and let's start at a at a  
strategic or at least like a governance level and  talk about what an organization needs to do to  
keep their data internal where it's supposed  to be how do they need to be thinking  
right off the bat mike i mean i so i i mean  my first thought would be a data inventory of  
the data types that you have where it all exists  everywhere and then a data classification document  
yeah to determine the you know to basically label  those types and the control requirements around  
first i think a lot of organizations are data  hoarding uh right now yeah very much so um but uh  
yeah so so the data inventory i think is important  because if you don't know what what types of data  
that you have that are vital to your business or  that are subject to you know laws and governance  
and that sort of thing then it's it's going to be  hard to protect it ready to keep it from leaking  
so i think the data inventory is probably one  of the primary steps you want to make just to  
try to figure out where are all the places that  data is that sensitive data is going to live  
right and so you know it's it's a time-consuming  process but i think not only meaningful in the  
end and gives a very satisfactory feeling of  being able to categorize and manage all your  
data very effectively but you know i think it's  a necessary i think it's a necessary step for all  
organizations to go through because of that  data and i think you know mike i know we've  
seen places where oh this data sensitive data  only lives in this you know oracle database and  
in fact it's on sharepoint it's on people's hard  drives it's in one drive it's getting replicated  
all over the place um you know how that's when it  becomes so difficult to keep that data secure and  
um from accidentally leaking or you know if we  would have called it in the military sometimes  
a message right a classified message no yeah and  we've seen that all over the place and what's  
worse is that oracle server or oracle database  that lives on maybe a legacy oracle server that  
hasn't been patched in 10 years because no one  really uses it it's just data storage right so  
yeah up to vulnerabilities and to exposure and  yeah just echoing back what you're saying the data  
classification is so critical and so many people  just don't know what they have where it is and why  
they have it or they've lumped everything  together you know they've created queries  
in their applications where they can pull the  classified data or the confidential data but  
they they have everything together with the same  minimal controls and haven't segregated a property  
like you know you with the cde with pci where you  have to separate all that out um you should be  
doing that for all your data regardless of what  kind of compliance requirements that you have  
yeah no no certainly and and i don't want to  turn this conversation into you know technology  
based dlp right because i think you know i'm not  saying that's not helpful but i think that there  
are foundational things that you need to do as  as a business and as a leader first before you  
start buying a bunch of fancy tools because they  won't help you if you don't understand this like  
basic stuff and so i mean like at a minimum  well you know i guess at a minimum we see  
typically you know at a minimum probably three  classifications of data right you'll have your  
your public that's consumable from a business  perspective out to you know everybody marketing  
stuff it's gonna be on your public-facing website  that sort of thing and then you're gonna have you  
know internal or you know for official use only or  business confidential whatever you want to call it  
doesn't matter you can call it anything you want  what matters is that those are data types that are  
specific for just internal communication business  you know internal only and then you may have a  
third type of highly confidential that may include  like what you were talking about zach like trade  
secrets maybe you've got some secret sauce that  you know does all kinds of cool stuff that you  
know serves up you know the focus of your business  right to you to your customer base and you don't  
want that out or you know you could be holding you  know different types of um you know sensitive data  
from you know credit card data phi and you'll need  to label that out and it's not it's not that one  
you need more than one type you just need to  understand that there are a separation of the  
needs of data how they should be placed and used  and who should have access to it and then there  
are other types of data that need to be kept um  exactly say very very close to the best right  
and have very strict access controls but i don't  think any of that matters into your inventory yeah  
you got to know it got to know what you have right  and that's the foundation of every cyber security  
framework to begin with not just on the data side  but with your technology assets as well yes that  
kind of brings us back to that one story that  i brought up in the news that of the imminent  
software the software malware being 43 of office  document downloads from the uh either the web  
repository on onedrive chat programs or what have  you so now where are you storing that data right  
are you storing in a secure location or are you  allowing people to store highly confidential data  
or confidential data in onedrive and if so how are  you securing them do you have the right license uh  
the right microsoft live license for one drive  to ensure that you have the proper controls so  
you can control who can connect that data you can  be you can identify what data is being pulled down  
and that you can prevent someone from just taking  their personal laptop jacking into their one drive  
and stealing all your ip or something of that  nature and then going on to another company i  
don't want to call it data policing because it  sounds apparterium but i mean it kind of it kind  
of is right i mean you know let's let's just be  honest right some of the the users the data users  
right the employees they're they're going to be  lazy and they're going to you know everybody has  
their own way of doing things and they're going to  want i don't want to go to the secure one driver i  
don't want to go to box and you know download this  stuff every time i need to use it or use it online  
right i want to be able to have a local copy you  know and so this gets this you know this causes  
that you know that started data hoarding right  where it just gives a domino effect and now you  
know if you've got 50 employees you've got  you know 5 000 employees you've got all this  
you know doing kind of the same same things  you know emailing over these reports and  
it can get out of hand really quickly  mike you shared an article the other day  
um and i can't remember the title or the  main premise of it but it was talking about  
it was talking about employees um and just the the  sheer volume of of software that they install on  
their own so employees are out there um finding  tools and programs online and just using their  
own stuff not necessarily company approved  because a lot of companies aren't restricting  
this they've said something like out of for the  average 200 employee company has something like  
um like over 200 unauthorized applications in the  environment so or unknown just because people use  
their own thing and that's that's where your  company's data ends up going yeah i mean since  
people have moved to the remote working and  you know as because of cobit which is why we're  
seeing so much data stolen without the oversight  of i.t and the control of a centralized land  
you have people that have gone out to find their  own solutions and you know case in point we had a  
client that they needed to solve a problem of  moving large data files they didn't bother to  
contact iot to how to do it someone found an app  online and said oh well this will move large data  
files so then they shared it with the entire  business unit without any betting any security  
around it i mean any looking at it and god only  knows what had happened you know we're gonna  
have to have a whole podcast about administrative  control right because i think that's why i bring  
up word i mean that's the reason wordpress is in  the exploit news so much because they're creating  
you know they allow the creation open source right  they allow the creation of all kinds of plugins  
right and chrome is chrome is getting that way  too right i mean the google chrome store is just  
rampant with vermin so you know if you're if  you're letting your employees leverage chrome  
for you know browser functions simple things  like that right that that patching so i mean  
this this you know this kind of data protection  comes all kind of full circle back to you know  
holistic cybersecurity program really right  because every little piece helps provide that  
protection another protective layer for the data  but you can't protect a dang thing unless you know  
where it's at right yeah we're talking about those  extensions that goes to the old speed of market  
thing right i've got this new tool i'm going to  open it up so everybody can you know make a part  
of it and everybody can develop for it all of a  sudden you're developing malware in it as well  
as it becomes adopted it begins you know it's a  two-edged learner you have to cut that off at some  
point where you have to sign code and you have to  everything has to go through a specific approval  
process whereas you know now it's just you know  everybody puts in that puts an app up it slows  
business down so far to do that though right we're  talking about certification and accreditation now  
and business leaders aren't willing to wait i  think that's what it is you need to have that very  
mature very methodical very emperor emperor's like  perspective of we're doing this right it's going  
to take a little longer but when it when it rolls  it's going to be awesome and i think that's like  
the only way to really kind of see those processes  through but i think speed to market is just  
rampant in the world today well i remember the  good old days when you know the real the first  
smartphone out there was the blackberry right and  everything got routed through a single location  
and had editing code any location had to be signed  blackberry those phones were also indestructible  
which was always nice yeah i mean back in that  day i mean there were no breaches of blackberries  
because it just wasn't even positive i missed a  little scroll ball they had on there it was kind  
of cool but yeah blackberry was was a great great  you know architecture foundation that yeah that's  
a that's a good example i think for a company that  did a good job of making that security foundation  
yeah but because they didn't open it up they no  longer really exist right so it's that two-edged  
sword right blackberry was the 800-pound gorilla  for the longest time and then all of a sudden  
they're gone because apple and google opened  everything up so you can develop your own apps  
and all that kind of stuff that made it easier to  use plus we have data leakage so you uh you know  
i think what you're saying is that's a lot of good  information start out inventory know what you have  
right understand where it is i think um some other  things too are the the the staff i think needs  
to sign off too that they understand what's  what right we have to have that training we  
without them basically being being bought  in and understanding the why behind all this  
um this stuff will will continue you know and then  really limiting access being very very specific  
on what applications your your users are using  seems like that centralized management is missing  
in a lot of organizations and people are just  letting them you know people are using their own  
devices with whatever they want so limiting that  is huge what about what are your thoughts on um  
like uh data flow diagrams and that sort of thing  having more visibility over where this stuff lives  
day to day yeah necessary i mean i consider that a  step of the data inventory you know what i mean to  
do those kind of um you know data data mapping and  data flows out as a kind of an output of that data  
inventory to kind of understand what applications  are processing it and how users are consuming  
it but you know things like pcr require that but  it's a it's actually a it's a good exercise to go  
through and it gives everybody just a completely  different level of awareness on how data flies  
in the organization anything else on the kind of  the high level strategic and governance side any  
other considerations or should we dive into some  of the specific technology-based configurations  
that we can do i just think it's key to build  the governance piece at the beginning rather  
than trying to bolt it on the back and that's what  we see seem to be see is missing in so many people  
or something so once you have that let's say you  have really really dialed in you understand what  
data you have where it lives it's classified uh  all these things are in place um and the staff  
knows what's coming what about implementing  some of the technology solutions you know i mean  
um like you know for example blocking thumb drives  unless they're authorized company thumb drives or  
some of the mdm solutions and stuff out there  are there anything are the is there anything  
that you think moves the needle on this more than  others um when it comes to just data protection  
um there's a lot of cool check out now you know  i think you know the the original integrity  
monitoring and data loss prevention tools were you  know from a caffeine and tripwire and places like  
that right so now everybody's kind of got into  this game so you know if you're out there and  
you've moved past this kind of governance hurdle  and you kind of understand where your data is  
and now you you need to apply role-based access  control based on need to know right and so these  
tools will help you do that i think the thing that  moves the needle the most is again to understand  
your your your data entry and exit points that  are going to be important so um like you said zach  
i think a big one that we see a lot is the thumb  drive is completely overlooked no one's using tape  
storage you'll see a lot of governance frameworks  talking to controls about you know removable media  
uh in the form of like you know tapes or drives  or something we you know you know we'd go you know  
down to and store in the you know the tape room or  whatever right for backup um that magnetic media  
is starting to you know be a dying tech now i've  been even it probably is already dead i haven't  
seen i haven't seen a tape silo i don't know it's  been using a tape silo mic it's been at least 10  
years for me so know that i got a great deal on  one four four floppies the other day from amazon  
so hopefully it's next week wow i hope so i have  so for your sake it's a significant yeah it's a  
good that's a good thing to don't stack up on too  many of those i'm just saying but anyways yeah  
um you know they're they're talking about thumb  drives is really what that applies to now you know  
most of the cd most of the laptops that come  today or you know not going to come with a  
cd drive you know that that sort of begin you  know sort of again like a dying tech as well  
so thumb drives are really going to be the  point of origin for removable media and  
and having a method to ensure that that's  not an exfiltration point for data hoarding  
there's a lot of users that i'm i'm a big  proponent of offline storage to usb drive  
so there's going to be a lot of of your your  employees that may also have that like i'm going  
to take it home i'm going to put it on thumb drive  get some happens i don't trust it they build a bad  
operating system load or we're using microsoft and  i just need to keep it on a thumb drive right so i  
mean there's a lot of good reasons to put your  data on a thumb drive but you know if you're a  
business you've got sensitive data and you're in  this kind of final stage make sure that you've got  
um and again great great point zach make sure  you've got a way to issue and manage thumb  
drives in the organization because i think that's  a huge risk factor that it's overlooked by a lot  
of organizations that have even been impacted like  you know very restrictive rights and are using a  
a very modern method of data sharing on like you  know box or something like that right or using  
um you know microsoft intune to manage data  at the mobile device now right where you can  
you know ensure that users on their phones can  get email but they can download the attachments  
right that sort of thing right so there's a lot  of cool stuff that's happening but thumb drives i  
think are probably one of the bigger risk factors  that i think has been kind of overlooked lately  
the phones and the laptops i think are the  probably the easiest to manage with these with  
these techs today so on the flip side of that if  t department don't the users an excuse to do that  
get with your business unit managers get with  your users and tell them find out what their  
pain points are and figure out a way around them  saying well you guys build garbage so i need to  
have a usb drive backup of this you know a lot  of the complaints are my laptop isn't backed up  
i have a lot of critical data on it well why do  you have critical data on your laptop how can we  
fix that for you so from the it shop side you  need to be able to eliminate those issues ask  
those questions and kind of head off at the pass  concerns so you don't force them to use the usb  
but i totally agree you got to turn off the usb  or you should anyway unless there's an absolute  
justifiable reason for having it and if so then  issue usbs but you know one of the things that you  
have to make crystal clear which is astonishing  even in this day and age if you find a usb drive  
don't plug it in it's just simple concept  but people still do oh people still do but  
yeah that's the drop drive is still a very viable  method to get somebody to especially if you put a  
label on there it was just like you know like  pics of the picks from vegas yeah i mean right  
that's all you got to put on it because i'm like  ooh picks from vegas but you know i'm going to get  
a drop i'm going to get a burner laptop i'm going  to find out i'm like oh this is a great malware  
um do you think it's a burner laptop anyways  yeah you got to test that stuff out the right way  
um but there's a lot of cool tools out there  right and so from a tech perspective what i would  
suggest to it teams is look at the subscriptions  you're paying for today right i mean a lot a  
lot of organizations are microsoft shop right so  microsoft intune is kind of a new thing for them  
um that's kind of being proliferated about it does  a good job of mobile device management everybody's  
already integrated into microsoft's you know  um you know one login um 80 piece right so it's  
it's kind of um it works well i'm not saying  it's without flaw right because it's microsoft  
um so keep that in mind but what i  will say is that you're not gonna  
it's not gonna be like putting in a whole  new technology to do this right it's just  
it's an enablement inside of a subscription  you already have so i'd say look there first  
um for for thumb drive control there's you know  there's going to be a lot of programs i would  
look to your endpoint management solution  that you're using so if you're using like a  
sofos or a carbon black look to see if they  offer a lot of these um epps are offering  
the capability to control that white listed thumb  drive port right um and then you can also just be  
like a good engineer and you can go in and you  can disable those ports right at the os layer if  
you just say nobody needs to use a usb drive ever  there's not a reason for it we have too much you  
know technological capability to not you know need  this then just go in and make the configuration in  
your gold image and you don't have to worry about  buying attack failing that you can use super glue  
yeah did i tell you about the commercial that i  wanted to do for us where it was just like this  
this like cyber criminal right he he does all  the social engineering and he gets into the data  
center right and so he's got his thumb drive and  he's in the data center and he snuck past all the  
lasers and all the infrared and all the floor  sensors he's like actually at the server rack  
and he's about to plug in his thumb drive right  to inject this malware into this massive database  
right that's super computer giant's got lights  that are flickering on it right looks like  
something out of star wars anyways and he goes  and he he gets to the usb drive and he looks  
and he realizes that the thumb drive won't go  in as he looks closer and the camera focuses  
there's like a little wire mesh cage over the  thumb drive and it says silent sector was here  
and it's like all bolted in so there's no  way to physically insert it and he's like  
got this look on his face you know like watch  people die inside and then the police come and  
arrest him of course right now i think i think i  think we end it with him like sitting at the diner  
like sipping a cup of coffee in his little  his uniform you know just kind of like sad  
that's a good one well we'll uh know that  we'll have to make that oh one thing that  
we also need to you need to look at when it  comes to uh controlling what happens on your  
devices you've got intune you've got onedrive's  ad you have native ad like local on-prem ad you  
have hybrid models you need to really research  what active directory model will work for you  
if you're going to deploy gpos because in a lot of  cases those mic microsoft has not fully baked out  
that whole solution um each one has parts that are  valuable so you need to be able to look at active  
directory from that perspective for gpo management  and see which what will actually satisfy your  
needs and make sure you have the right license  for o365 and onedrive oh yeah and if you're  
if you're not a microsoft shop there's other  tools to help you too right to do this sort of  
localhost 80 management or jumpcloud's one of them  um that we see you know be very successful right  
there's there's other ones so do your research  but um they will allow you local you know security  
group control with with one agent which is really  cool and you can do the thumb drive lockout and  
you know you can control the host just like  you can in ad well excellent information any  
final thoughts we're running out of time here  any anything words of wisdom before we wrap up  
don't be a data hoarder yeah definitely when  you get into the petabytes you got a problem  
there's like gambling addictions there's  drug addictions and there's data addictions  
and you know your business might be addicted  to garbling up and proliferating unnecessarily  
data well you you have to maintain a farm of  mainframes because you've got data from the 70s  
you got a problem so let it go man just  let it go just let it go that's right
thank you 83 vet sitting in the garage you're  never going to work on it just let it go well  
thank you everybody for joining hope you learned  something today hope this information helps you  
in your careers and your endeavors and by  all means reach out if you have questions  
any requests for topics anything like that  make sure you subscribe to the podcast  
we will see you next week