From autosaved spreadsheets to test systems using real data -- CISOs warn of five oft-overlooked sources of data leaks
"Information wants to be free" is a gross understatement.
Enterprises blanket their systems with security in the attempt to saturate every data repository with protection. Organizations affirm the logic of layering everything from access management to security zones to safeguard information assets. Yet, somehow, data still leaks. Real world exposure occurs virtually on a day-to-day basis.
Advanced malware attacks get a lot of ink, but careless employees, incomplete policies, and the invasion of consumer technologies create plenty of risks as well.
Here are five places where data sometimes avoids the protective eye of security systems and policies.
Let's start with the most obvious hiding place: Spreadsheets.
Spreadsheets contain fun, variegated, and often sensitive data sets: financials, credit card numbers, HR data. This, you knew.
When enterprises neglect security measures such as passwords and share these files via email, file shares and collaboration suites, that data could end up anywhere. Employees endanger spreadsheet data when they connect away from the office to the less secure home and hot spot networks. Lost or stolen laptops, USB keys, DVDs and smartphones expose the files when security plans neglect disk or file level encryption, or both, says Craig Shumard, CISO emeritus, CIGNA.
Meanwhile, back at the office spreadsheets are still falling victim to low-tech exposures such as when employees print them out and leave them lying around.
In one example, shared by a former travel booking industry executive, a good employee with the best of intentions together with poor security put critical data in a bad position. "We found out one of our payroll people had dumped a bunch of data into a spreadsheet and saved it on a laptop, which was stolen. The disk was not encrypted," says Ed Bellis, former CISO of Orbitz. In this particular instance, nothing came of it, says Bellis, but something certainly could have.
So spreadsheets like to wander. This you also knew.
"Spreadsheet" for most enterprises used to refer to Microsoft Excel (unless your career goes back to the Lotus 1-2-3 era). Today, of course, there is a handy cloud-based spreadsheet tool in Google Docs. (More about file synching services in a moment.) So hunting for errant spreadsheet data means looking in more and more places.
Hopefully you knew that too.
But have you also considered that even unattended settings may leave gaping security holes as well?
"If you don't take into account how your AUTOSAVE settings are configured in Excel, the application can create a shadow copy on your local machine, open to anyone who can get to it," notes Adam Gordon, CISO of New Horizons Computer Learning Centers.
SharePoint is Microsoft's file sharing/collaboration/content-and-project-management tool. "SharePoint is capable of handling more than 200 file types out of the box without any customization," says Gordon.
Imagine the data it can unleash.
Enterprises use this popular application to enable data sharing outside the organization. And if access controls and other security essentials are lacking, these installations can leave data unguarded. When the enterprise doesn't establish consistent policies about permissible SharePoint data, when transferred or terminated employees retain access to the application, or when the enterprise permits remote access, critical information can end up 'in the wind'.
Various administrative bloopers and bad judgment calls can exacerbate these risks. Incorrectly configuring services that analyze and present data to SharePoint, such as Excel, Visio and Performance Point business services, can create security holes, according to Gordon. Administrators who inappropriately grant broad access rights to people who shouldn't have them--usually just trying to provide a quick fix for some workday problem--also create vulnerabilities, Gordon explains.
The simpler the mistake and the greater the exposure, the more the embarrassment.
"I had a customer who inadvertently allowed the organization to post proprietary financial data to the external side of its SharePoint portal, allowing customers to see account information and transactional data," says Gordon. In this case, a live data feed was mistaken for the test data feed and errantly input into the test system. When the test system's output was shared on the public side of SharePoint with the partners and vendors who were examining it to fix / improve the test system, they saw the confidential information as well.
(More on the horrors of test system misuse a bit later.)
3. Dropbox (and company)
Dropbox is similar to SharePoint but potentially more hazardous since the enterprise customer does not manage the externally hosted cloud file-sharing service. Dropbox and its ilk--Google Drive, SkyDrive, Box and so on--are designed to appeal to consumers with extremely simple account setup. So their use for enterprise data is all but inevitable.
Once Dropbox is sending information to the public Internet and mobile devices outside the enterprise perimeter, that data can make its way to eyes that don't have the proper authorization. "Almost anything could end up on a public web server outside the company's control," says Bellis.
In addition to its public nature, passwords are another of Dropbox's weaknesses.
Obviously, hackers can guess weak Dropbox passwords or acquire UID / password combinations through social engineering, says Gordon. The most common password vulnerability, however, seems to be the re-use of passwords on Dropbox that have been used with other compromised systems (email, websites).
In a widely-publicized debacle from July of 2012, a Dropbox employee stored an unencrypted document inside the file-sharing app that listed users' email addresses. An attacker logged into the employee's account using a password the employee had reused on another infiltrated site. The attacker then obtained a copy of the unencrypted document and used the email addresses to unleash a flood of Spam on Dropbox users.
The password reuse problem is, of course, not unique to file-syncing services.
But Dropbox customers have faced internal issues. In August of 2011, an employee of the Chocolate Emporium, Cleveland, Ohio maliciously copied the company's entire customer database to Dropbox, including credit card numbers. The company recovered the records but an arrest and lawsuits ensued, according to the Open Security Foundation's DataLossDB.org.
Provide data with a way out of the organization, and sooner or later someone will try to abuse it.
4. The printer graveyard
Today's enterprise class printers and fax machines come with internal hard drives. These state-of-the-art devices store images of everything they process, exposing data from any department that uses them. Compromise is possible when administrators don't use available encryption and user IDs and don't automatically delete data off the drive on a schedule, such as every two hours, clarifies Shumard.
The same data from the same file types--from company directories to strategic plans found in Word, Excel, PowerPoint, and innumerable formats-- are up for grabs when these devices are decommissioned or returned off lease without the enterprise first wiping the drives by degaussing or overwriting them.
"There have been cases where remnants of credit card and social security numbers were left on these devices or classified military or government data was being pulled out of hard drives left in these devices when they were decommissioned, says Gordon.
In fact, he notes printer memory can be a liability even before it goes to the great scrapyard in the sky: "Hackers have also perpetrated bogus service calls posing as copier service technicians in order to steal proprietary IP from devices still in service."
[Also read EPA data breach highlights worrying trend]
Now not just anyone can easily hack every device with RAM. "Many of these devices have proprietary OSs such that you cannot break the code with less than a high level of security knowledge," says Ondrej Krehel, CISO of IDentity Theft 911. However, when these devices process documents, the system often stores the document in three different formats in three different places, including PDF files dropped in temporary folders on the user's computer, explains Krehel.
If there is nothing in the security plan to account for this system behavior, the data becomes as vulnerable as the user's computer is.
5. Test systems and development environments
The enterprise should test new systems before deploying to the production environment. That's clear.
However, when IT or developers use live data in test systems, they can expose whatever information the departments for which the enterprise has slated the systems typically handle. If live data including PII or Intellectual Property is left on the test system, people on the test team and departmental end users who are testing the system may be able to get to it, says Ruben Obregon, former CISO at a medium-sized non-profit organization.
"And if the test data remains on a hard drive that is reused later, still others could reach it," Obregon says.
"I have seen production data make its way into development environments that lack the same controls normally found in production. Whether those are access, encryption, or integrity controls, all bets are off when people move this data into an environment that is not quite as locked down such as development or QA," says Bellis.
"I have witnessed issues where production data was migrated to a less controlled environment and, despite nothing but good intentions, managed to end up on completely open environments such as consultant laptops and portable devices," he says.
Read more about data protection in CSOonline's Data Protection section.
This story, "5 places your data goes to hide" was originally published by CSO.