Data Theft | Computer Security & Data Breach Incident Response

January 3, 2014

Articles

Incident Response | Data Theft

Vestige Digital Investigations, CTO and Founder

BS, EnCE, DFCP

In case you were living under a rock, you may not have read that the giant retailer Target was the victim of the theft of millions of credit card numbers. Not just the numbers, but also the names, addresses and other crucial information needed to replicate credit cards for use in unauthorized purchases. From reports, this cyber security attack was done on the point of sale (POS) terminals and involved getting the information that is stored on the magnetic strip and read when you swipe your credit card for a purchase. I have read and heard conflicting reports as to whether the card security code (also known as card verification value or CVV) was also compromised, since that information is not stored on the magnetic stripe; it seems unlikely – if the attack took place at the POS. That said, one article I read outlined a very interesting fact about how the cards were sold. The credit card information was sold on the black market along with information about where the card was used. That information helps the bad guy from making an unauthorized purchase with the card in an area where the card owner doesn’t shop. Purchases in an area where one does not live or typically shop are just one of many red flags that banks use to detect unauthorized transactions.

Translation – the bad guys are getting smarter.

What does that mean for you, your company and your clients? You too need to be smart about how you are going about protecting your intellectual property, confidential information and customer lists.

It all starts with understanding your data, understanding how it can be stored and transported and understanding who accesses the data and who wants to access the data.

That “who” is a piece that I think gets lost today with the desire by the media to produce sexy headlines involving millions of records being stolen by a hacker in a far away land. But protecting your data starts with protecting it from those that create and interact with it on a daily basis – your employees. Whether it is a malicious act, or a careless one, data theft and data breaches often start from the inside.

If you consider what goes on inside the work place with respect to IT, it can really make your head swim when you think about what you have to do to protect your data. Every employee is an access point into your data, and a big access point at that. The employee likely has a laptop or a desktop to access your network. That laptop (or desktop) has the ability to transfer data externally via:

USB drive
Cloud site (DropBox, Box.net)
Email (company or personal)
CD/DVD
FTP site (old school, but still works)

Or by simply taking the laptop to another location, plugging it in and transferring it via a network cable to another computer. It also has the ability to “transfer” data when it is mistakenly left in a taxicab, airport or hotel and someone else gets their hands on it. If you are hoping that a strong password will protect that unencrypted data, you are wrong. Passwords merely stop someone from logging into a computer. If you have physical access to the computer, and a screw driver, you can very easily remove the hard drive, spend $20 on a device that allows you to turn it into a USB drive and then plug it into any other computer.

Head spinning yet?

Let’s talk about the BYOD craze. When the general public got tired of Blackberries, companies were more than happy to remove the cost for those devices (and the data plans) from their bottom line. The result was that employees were now bringing in their iPhones, Androids, iPads and other portable devices into the office. They asked IT to configure these devices for access to the corporate network. Even if IT and management grumbled about it, as soon as the employee said “you do want to get a hold of me in the off hours?” companies relented. So now you have a device which can hold, in some cases, over 100 GB of data, has access to your network and you have no control over it. Remember how IT said that they can monitor all web traffic and can prevent people from using personal email sites, DropBox and other activity that may cause employee data theft? They probably are not doing that on the cell phones and tablets. Those portable devices can get access to the Internet via the cellular network which your IT department has no control over.

But wait, there’s more!

These lovely portable devices can act as a USB drive. Plug it into a computer and copy all the data you want. Did you say you turned off USB usage on the workstations? Ok, I’ll just make my cell phone into a hot spot like the seemingly average Joe does in the Verizon commercial. Now not only can you not tell what I’m doing with my cell phone, but you also can’t tell what I’m doing and where I’m going with your data on the company issued laptop that is accessing the Internet through my cell phone.

Well, we’ve got the malicious acts covered (or at least the most obvious ones, my fingers would start bleeding if I went into the rest of the actions we have seen used for removing data). Let’s talk about the accidental ones. I’m talking about the actions that usually lead to a hacker from the outside world turning your company into the next Target (pun intended).

In Vestige’s view, the accidental exposure of data in today’s world stems from the constant battle between protecting that data and making it easy to access. Let’s face it, if the data is not easy to access by those who want to work with it, they won’t use it, or worse yet, they will find ways to circumvent that access. That circumvention may include keeping copies of the data on their work computer, transferring to a home computer or sharing of passwords so that everyone can log in with the same account. The problem with these practices is that it exposes the data to theft. When a sales person decides to download the client lists onto their laptop computer because they have trouble accessing the network remotely over the virtual private network (VPN) that client list, or any other important piece of information, has now left the safe confines of your network and can be picked off, lost or otherwise stolen.

Another method of accidental exposure is through the implementation of development networks and applications. Often while working on an IT related project or application, a development network is set up to test the project. Sometimes, the best way to test that application is to use real data. Unfortunately, development environments do not always have the same controls and security put on them. Also, development environments may include software code that hasn’t been completely tested (hence, “development environment”) and therefore may be more easily hacked. When applications under testing don’t perform well, one reaction might be to drop most of the protection in order to ascertain whether the application’s failure is due to a permission issue. All of these scenarios can lead to accidental leaking of data.

If you work with vendors, contractors or partners who have access to your precious data, that too is another avenue for accidental exposure. What controls have you imposed on these third parties, if any, and what are you doing to make sure that they are adequately protecting your data? For each situation I have outlined in this document, malicious or accidental, which leads to data exposure and theft, you need to apply that situation to any of these third parties.

Pretty daunting isn’t it? Makes you want to return to the days of paper and pen? All is not lost, however. Stay tuned to our blog posts for the rest of this month as we walk you through a process by which Vestige helps its clients understand their data, protect it, prepare for possible data loss, investigate that loss and then, most important, learn from that loss.

by Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations