Monday, November 30, 2015

Some Conseqences of An Inadequate Information Security Policy

Hey everyone - Information breaches are common nowadays.  It almost seems like we have grown immune to them.  They can happen for a variety of different reasons and can happen on purpose or inadvertently.  I want to talk about one that I stumbled across while pursuing through news articles, because I think it raises some interesting points.

I stumbled across this story about a local school system in Maryland that inadvertently divulged a large number of documents pertaining to a small number of students, including grades, disciplinary information, special needs plans, and other information that should remain confidential.  One might think that it took an insider or perhaps phishing to get these records, but unfortunately it was easier than that.

The documents were made accessible because they were stored in a place with inadequate (non-existent) access controls.  I am going to frame the discussion with the following questions:
  • How were the records found?  Are these techniques applicable in other places?
  • Why might these records have been there in the first place?
  • What should have been done to prevent this from happening?
  • What lessons can someone take away from this disclosure?

Finding the Records

The reporter in the article found these records by searching Google for the name of a student who was killed while trying to defend his mother.  Google had spidered a side called Weebly where these records were posted.  The fact that it was Weebly is actually inconsequential to this story, because it was not a breach of Weebly's servers that caused this.  Rather, whoever posted the information to the website should never have posted it there in the first place.  It would be like if you posted your company's secrets to a wide open part of your website where the only obscurity is the link.  Remember that security through obscurity is no security at all.

Searching for information about a person or company is one of the first steps in targeting that entity.  This information can be used to enrich spearphishing attacks, learn the lingo of a company, or understand the patterns of that person or company.  Using a search engine is not the only way to do this.  You can search public records, newspapers, the company website, social media, and tons of other places to find information on a target.

Another way to get information is to search the cache of some of the larger search engines.  The cache can reveal historic information or information that was available but suddenly taken down.  In fact, in this case, the reporter was able to access the Google cache of the website in question to get access to the records after they had been removed from the website.  The very basic searching techniques that this reporter used are applicable to anyone or any company that has been mentioned or has a presence on the Internet.  At this point, that is just about everyone, even if they have not been born yet.

Why Might These Records Have Been Accessible In The First Place?

As mentioned before, the documents were on a page called Weebly.  Weebly is a site that you can use to set up websites very quickly and easily without having to know code.  That says to me that the person who put the information out there needed a way to share the information with someone.  This may have been for legitimate purposes.  Unfortunately, Weebly is not setup for easily securing documents.  The person may have thought that if they only share the link with those who have a legitimate need to know that the information would be safe.  They likely did not count on Google caching the page or someone stumbling across that cache.  This goes back to a lack of understanding about how information needs to be secured, and the failure was not just of the person that made the information available.  It was also a failure of the school system for not having proper procedures and policy in place to share this kind of information.  It is not enough to simply have a policy.  It has to be enforced.  There was a number of ways it could have been enforced in this case, and we will talk about some of those in the next section.

What should have been done to prevent this from happening?

As I mentioned in the previous section, there were failures at multiple levels.  The person that posted the information should have asked questions like "Is this website suitable for hosting this kind of information?  Does the website do anything to guarantee that only authorized users can access this information?"  It is possible that the person that posted the information thought that the link was enough as long as it was not posted publicly anywhere.  This idea stems from a fundamental misunderstanding of access controls.  The question is: whose responsibility is it to educate information owners about these seemingly basic ideas?

To be fair, these ideas seem elementary to me because I have been working in this field for a number of years and I have biases when it comes to information security.  Someone without any background whatsoever might not know anything about controlling access to information.  Despite this, I am a big advocate of user education and accountability as a layer of a defense-in-depth model to protect information.  In an ideal world, users would seek out education about how to keep information secure, especially information that they are responsible for.  Because we do not live in an ideal world, I believe that organizations with a stake in the information should make training a part of their information security policy.

That assumes the organization has an information security policy.  If your organization does not have one, then it would be a very good idea to create one that takes the specific needs of your organization into account (like which regulations and laws apply to your organization, how much risk the organization is willing to accept, what resources the organization has available, et cetera).  Even if your organization has a security policy, it must be kept up to date with advances in technology or new attack vectors that are discovered.

In addition to having a policy, that policy must be enforced.  That could be through technical controls (blocking access to sites like Weebly if possible, or logs that alert on large amounts of data leaving the network) or through other means (such as spot checks, logging of data transfers of sensitive information, or even disciplinary action against those that violate the policy).  It is not clear if the organization had a security policy in place, but it is clear that there were failures that need to be addressed.

What lessons can someone take away from this disclosure?
If you are protecting information whether it is your personal information or that of your organization, then a key take away is to ask the right questions before uploading information that might be sensitive to any website, such as:
  • Is the website set up for handling sensitive information?
    • Does the website encrypt the data in transit and add rest?
    • Does the website feature access controls that only allow authorized users access to the information?
    • Does the website log when users access information?  Are those logs accessible to the information owners?
    • Are there regulatory controls or laws that mandate certain standards for the transmission, storage, and access of information?  If so, does the website have controls in place that are in compliance with those controls or laws?
    • If applicable, does your organization's information security policy allow uploads to the site in question?
  • Can the information be redacted before being shared?
    • Maybe you do not have to share all of the information you want to upload.  If you do not need to share all of it, consider redacting parts that do not need to be shared.
  • Has the receiving party asked some of these questions?
    • While it is not your job to police information security practices of another person or organization, it is important to know if the other person or organization will take the same care and due diligence to protect the information that you are sending.
As I mentioned before, it is also important to make sure you are familiar with your organization's information security policies.  If you are responsible for the confidentiality, integrity, or availability of your organization's information, then make sure you have a robust information security policy and that it is kept up to date.  I realize that is easier said than done, and that I have not given a ton of detail on how to do that in this blog post.  The information security policy of an organization must be tailored to that organization.  It can start from a template, but it must evolve based on the specific risks, needs, and culture of the organization.

What are your thoughts?  Please let me know in the comments.  Thanks for reading!

No comments:

Post a Comment