Protecting Your Organisation’s Data Sources and Crown Jewels
Blog / Protecting Your Organisation’s Data Sources and Crown Jewels
As the digital age races on, information and data remain the keys to the palace. Threat actors are always working to discover misconfigurations they can exploit, employees they can manipulate and systems that lag behind in patching, with the express goal of compromising systems, stealing data and deploying ransomware.
With companies a seemingly never-ending ocean of data, streaming both in and out of their data centres, as the internet continues on and the mobile workforce continues to rise, knowing where data is and all the windows hackers can use as attack vectors becomes more arduous.
With so much data, how do you approach it and secure your bases? Typically, the process can be broken down into these phases:
- Identification and Baseline.
- Raise Bar.
- Real-time Monitoring and Protection.
These three phases allow us to discover, harden, monitor and protect our networks and systems in an effective manner which can be repeated consistently. This is important because redundancy and repetition are a staple in making sure that all your security bases are being covered to the best of your ability.
Identification and Baseline
The first phase is Identification and baseline, which can be further broken down into this series of actions:
- Entitlement reporting.
- Vulnerability assessment.
In spite of the modern age, an age-old bit of wisdom is still relevant, you can’t adequately protect what you don’t know about. Discovery processes is simply about finding where and making a note of all the different data sources that exist in your environment.
Data can be anything, really. It can be:
- Structured data, which is data organised and formatted in a repository, useful for relational databases and Structured Query Language (SQL).
- Semi-structured data, like big data databases such as Cloudera, Cassandra, and CouchDB.
- Unstructured data, which is file shares like Network Attached Storage (NAS) or cloud-based ones like Google Drive, Amazon S3 and Dropbox, and also stuff like text files like word documents and email messages, as well as videos, images and audio files.
Considering how much diversity there is with data and data sources, it should come as no surprise that these different assets often require different security controls. The classification process is understanding the data sources you’ve found, being able to classify the types of sensitive data in those data sources.
Different types of sensitive data include:
- SOCKS information.
- PII, PCI and PHI information.
- GPR information.
For different types of data, different types of controls are used. Part of this can be due to how fast-evolving cybersecurity, still considered a relatively young field, is, with regulatory compliance needs for a number of sensitive is often shifting in regards to the requirements.
Regulatory compliance requires specific controls tailored for each data source, such PCI information requiring encryption.
Put simply, entitlement reporting is about who has access to the data. This includes, specifically, who has access to sensitive data like PII and PCI data, but also, importantly, includes who exactly has access to the data source itself and what actions they can perform on it, like reconfiguring the data source.
Often, in organisations, an employee’s privileges should be restricted to what they’re role requires of them, with security controls put in place to mitigate vulnerabilities, however, oftentimes people miss access loopholes that can cause data breaches.
For example, a database administrator (DBA) may not have access to sensitive data not related to their job, like salary information, but perhaps they still have the privilege to create a database user account with any role and privilege-level.
This opens up a security flaw.
Cybersecurity best practices would advise in this situation that a security control be implemented that logs the DBA’s, as well as all other employees’, activity. When the DBA onboards a new account, it should be integrated with your ticketing system, so you can see if it falls in line with what's expected of that user today.
Cybersecurity is all about checks and balances being in place, after all.
With insider attacks on the rise, growing 47 percent between 2018 and 2020 alone and being very costly for businesses when an attack occurs, it’s important that you have security controls in place to deal with the insider threat.
Vulnerability assessments concern looking at industry benchmarks, operating systems and data sources you’ve discovered in your organisation and comparing them to cybersecurity best practices and all the different benchmarks that exist, evaluating your cybersecurity posture and giving yourself an overall rating.
You can use external references like Security Technical Implementation Guides (STIGs) to do this.
Often, most organisations will go further than the basic benchmark by doing more tests and following more stringent requirements for hardening their operating system. This is often because they have very critical assets which would be catastrophic if they were compromised by malicious actors.
This is often their intellectual property and trade secrets, or even highly sensitive PIIs, depending on what their organisation is.
In cybersecurity, identifying your most valuable assets and the threats against them is paramount in protecting them. You especially need to secure your organisation’s crown jewels, as that is what threat actors will be salivating over the idea of gaining access to.
This concludes the identification and baseline phase. The next phases in this model is Raise Bar and Real-time Monitoring and Protection.
The raising the bar phase is the point where an organisation will, essentially, take a look at all the information they've amassed through the identification and baseline phase, and actually start implementing the solutions they’ve come up with.
They'll start to do things like:
- Reconfigure data sources to harden them based on vulnerability assessment information.
- Free operating systems and databases.
- Implement masking, redaction and encryption on the data sources.
It’s important to remember it’s not just your users and employees connecting to your data sources and data centres, as often business partners and other entities that you do business with often will have access to your data centres and data sources to an extent, so your security controls need to account for that.
When involving infrastructure-as-a-service and software-as-a-service, a solution may be tokenisation, where even if your data is accessed by a malicious insider element in your provider, they won’t be able to make sense of it without your means of detokenising/decrypting it.
Real-time Monitoring and Protection
For the last phase, organisations will maintain their confidentiality, integrity and availability (CIA) and prevent degradation of their cybersecurity posture by implementing solutions such as:
- Implementing safe monitoring, alerting, workflows to interact with the incident management teams, such as SIEM like QRadar.
- Blocking and quarantine, such as blocking and quarantining a business account which may have had its credentials stolen and is being leveraged by malicious actors.
- Have activity monitoring, capturing everything that's happening across these different data source with details like the user, IP and timestamps.
It should be noted that while monitoring is really a best practice to have, it, itself, must be hardened, the data stored in an encrypted environment that can’t tampered with as security data is very sensitive.
Securiwiser is a security monitoring tool which greatly helps facilitate securing your data and data sources as the world moves ever-increasingly online.
Securiwiser evaluates your company’s cybersecurity posture and flags up vulnerabilities and exploits in real-time, displaying them in an easy-to-read dashboard. It checks the security of your network and cloud, how much information exists about your company on the dark web, if your GitHub directory is publicly accessible, and much, much more.
How secure is
How secure is