More On Internal Data Loss Incidents

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://blogs.gartner.com/anton-chuvakin/2012/12/31/more-on-internal-data-loss-incidents/

"If a tree falls in a forest and no one is around to hear it, does it
make a sound?” – If a piece of sensitive data is exposed to the
intranet/LAN, is that a security incident?

Here are some versions of an answer I’ve heard (all fictionalized, of course):

“No, what on Earth are you talking about? We share everything inside
the firewall.”
“No – since we would never know that it happened anyway.”
“Yeah, kind of– but it is low-priority incident, the one we get to …
whenever we get to it”
“It depends on the data, some data seen outside its intended secure
enclave immediately triggers an incident.”
“Yes, of course -  with 50,000 employees you cannot have any concept
of a perimeter.”
“Yes, because our internal is really external – due to a large number
of partner, customer, vendor, etc personnel on our network.”

However, the situation is much worse than that. I am this close to
thinking that today at a large company with expansive and effectively
uncontrolled network access (wireless, VPN, BYOD, etc), an internal
breach is going to become an external breach before  you can say
“DBIR”

Here is why: a lot of the organizations open up all sorts of internal
resources to all sorts of outsiders and then poorly govern access to
said resources. A recent research piece on SharePoint contained this
shocking number:  “nearly a third of these internal-facing SharePoint
sites are now being opened up to people outside of the enterprise,
such as partners and customers for external collaboration.” The
authors further note, in a style reminiscent of a winning The
Understatement of The Year contest entry,  “This changes the overall
risk profile of SharePoint.”

In this scenario, an internal exposure magically becomes a data
breach. In light of this, some organizations undertook massive
(=covering hundreds of thousands of internal file repositories and
millions of files) efforts to discover, corral and attribute (to data
owners) sensitive data and then institute a blend of processes and
ongoing technical monitoring (via DLP) for internal exposures, in
addition to explicit exfiltration and “loss.”

Finally, here is a great example (discovered here) of an internal
incident leading to formal breach disclosure:

(full notification is at
http://doj.nh.gov/consumer/security-breaches/documents/depository-trust-20120702.pdf)

So, here is to change in the New Year: accept an idea that an internal
sensitive data exposure may, in fact, be a security incident, even
before the attackers get to this data and steal it!
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.