Spy hard

MOST ORGANISATIONS enjoy a healthy state of data security and, in many cases, are protected against targeted or opportunist attacks and associated compromises from cyber criminals.

But despite this high level of resilience, some otherwise well-managed security installations are failing to deliver a failsafe defence strategy. The reality is that conventional IT security defences – even when deployed alongside well-planned, well-executed security strategies – may no longer be sufficient to stop an attack.

Previous reports on data leakage are likely outdated, no longer offering a complete overview of the current state of play. The security industry has been busy looking at what are considered the threats of the day, but perhaps should have been anticipating the threats of tomorrow.

While some analyses focus on the failings of current generations of defensive technologies, they do not account for the root causes of the problems caused by determined attacks. These causes centre on everyday working practices and security configurations, which are not always included in the standard security mission in a typical IT systems environment.

Defensive action

One of the biggest challenges of the current age of cybersecurity is advanced evasion techniques (AETs). At their most basic, an AET is a type of network attack that combines several evasion methods to create a new technique. In doing so, this type of attack is able to circumvent any defence or control already in place, with the intention to invade, compromise and/or trespass an operational environment and its assets.

Developing a typical AET-enabled security is made easier by the fact that there are significant volumes of unintentionally published – but very available – intelligence on various IT platforms that can assist cybercriminals and demonstrate a hostile ‘footprinting’ of a potential target. This process enables the hacker to determine whether or not network incursion can be engineered.

I’d like to introduce a supposition – that all the above events, skills and knowledge can be used to develop an effective data leakage strategy. Data leakage is opportunistically invasive, and unless understood it will always be present in the background, making the information available to unauthorised persons.

One of the biggest potential areas for data leakage lies in the hacker treasure trove that metadata has become. Because metadata is data about data, it exists in all types of documents. Metadata is present to assist the application, machine or user to manage the objects by, for example, allowing tagging or applying some other hidden detail analysis, which may assist with searching the data or with document management.

Despite its potential for darkware development, metadata’s underlying purpose is entirely above board. Problems start to rear their insecure heads when the security implications of metadata are not understood. And it is here that we see the opportunities of data leakage starting to creep out of the security woodwork in a typical organisation, often as a result of the many document formats that exist in the modern IT environment – doc, docx, pdf, ppt, pps, along with many others.

The sheer variety of data formats gives cybercriminals the ability to gain legitimate access to published documentation at their leisure, download it and then subject the data to analysis in order to locate snippets of information, such as usernames. It is this information that can lead to the identification of active user and/or email accounts, internal URLs, networks, shared folders and operating systems.

With this volume of diverse data at hand, it becomes easy for an attacker to analyse any initial points of interest and decide how to exploit the data leakage that has been uncovered. This type of footprinting is an effective way of working out how organisations operate on the inside.

In my own research, I have found it possible to gather sufficient intelligence to identify those sensitive assets that can be exploited through the use of externally gathered data. In one instance, I was able to identify and extract files containing hard-coded user IDs and their associated passwords. In another, I identified some sensitive servers and associated information that was hanging off a third-party developer’s website and also reveal some sensitive documentation that had leaked over from the intranet.

Data day seepage

The issue of data leakage has become one of the most prevalent and misunderstood aspects of insecurity; it can engender a potential threat in modern interconnected security landscapes. Data leakage is also one of the primary reasons why organisations are falling prey more easily to hackers and cybercriminals.

A strong data leakage prevention programme, implemented with the proper governance and assurance considerations, is absolutely critical. Free guidance on how to implement one correctly is available from ISACA.

If data leakage were to be addressed as a matter of routine housekeeping, there would certainly be a noticeable reduction in the success rate of AET-enabled data incursions. ?

Professor John Walker, ISACA London Chapter Security Advisory Group; and CTO of Secure-Bastion

For the full McAfee report, please go to

www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf