Personal Identification Information - Protected Health Information

August 2, 2021

The Cyber Rants Podcast

Episode #37 Keeping Your Data.. Your Data

From PII (Personal Identification Information) and PHI (Protected Health Information) to intellectual property and sensitive business information, the guys talk about how to keep your sensitive data from leaking to the outside world.
While there is no single answer, they cover both technology and governance tips to keep your data where it belongs. Plus, they rant to everyone, "Don't be a data hoarder!"

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines

Biden Orders CISA and NIST to Develop Cybersecurity Performance Goals for Critical Infrastructure

A Record Year for Cyber-Attacks That Impacted Society

Even After Emotet Takedown, Office Docs Deliver 43% of All Malware Downloads Now

This part of the news wouldn’t be possible without Microsoft….

New PetitPotam NTLM Relay Attack Lets Hackers Take Over Windows Domains
Microsoft Releases Guidance for Mitigating PetitPotam NTLM Relay Attacks

Lockbit Ransomware Now Encrypts Windows Domains Using Group PoliciesChinese Hackers Implant PlugX Variant on Compromised MS Exchange Servers
Microsoft Teams Now Automatically Blocks Phishing Attempts

But to be fair……

Apple Patches Zero-Day Flaw That Hackers May Have Exploited

welcome to the cyber rants podcast where we're all about sharing the forbidden

secrets and slightly embellished truths about corporate cyber security programs

we're ranting we're raving and we're telling you the stuff that nobody talks about on their

fancy website and trade show giveaways all to protect you from cyber criminals

and now here's your hosts mike rotondo zach fuller and lauro chavez hello and welcome to

the cyber ants podcast this is your co-host zach fuller joined by mike rotondo and lauro

chavez how are you guys doing it's been a good probably 10 hours since i've talked to you

same as before well today we're going to be even better because we're talking about

protecting your data and really keeping your data your data right so it's really

about a loss prevention right all kinds whether it's you know pii or phi financial information

intellectual property uh it's yours you need to keep it and safe harbor that so before we dive

in though uh as is our traditional method mike you want to kick us off with the news

yeah there are a couple headlines that i'm gonna go into and then there's a couple of um

headlines brought to us by microsoft which i'll touch on later in order cisa and nist

to develop cyber security performance goals for critical infrastructure uh basically the president

sent a memorandum on wednesday addressing cyber security for critical infrastructure

that would include the energy grid water that sort of thing and basically the idea is to establish a

set of governments stated and defined minimal cyber security criteria for these industries

in order to stabilize and centralize it we'll see if it happens a record year for cyber attacks

impacted society uh basically 2021 is already proving to be a record year for cyber attacks

solarwinds attack the colonial pipeline attack the exchange attack uh the jbs meat attack and

so on dark side obviously is a russian state actor which is responsible for the colonial pipeline and

solar winds the chinese have been implicated in the exchange attacks and hacks which led to the

unprecedented action of the fbi going into vulnerable servers and removing web shells

without the owner's knowledge or approval it's not so much that the cyber attacks are particularly

sophisticated but that these attacks are having societal consequences that no one anticipated

there's also the rise of geopolitical tensions that is evident through the neighbors of these

cyber attacks including the president talking about it turning into potentially a shooting

war that's something to definitely watch weird stuff going on with that yeah even after emmett

takedown office docs deliver 43 of all malware downloads now according to netscope which released

its cloud and threat report the average company with anywhere between 500 and 2000 employees now

deploys about 805 distinct apps and cloud services with 90 of those being unmanaged and awfully

freely often freely adopted by business units and users which is a little scary the report noted

that cloud storage apps account for more than 66 percent of cloud malware delivery in q2 2021 43

of all malware downloads were malicious office stocks compared to just 20 percent of the 2020.

collaboration apps and development tools account for the next largest percentage as attackers

abuse popular chat apps and code repositories 35 of all workloads are exposed to the public

internet with the navy aws azure and gcp with that with public ip addresses that are reachable

from anywhere on the internet and lastly rdp servers have become a popular information

infiltration vector excuse me they're exposed in 8.3 percent of the workload so long story short

there's a lot of risk out there button up your apps which uh something we're going to talk about

in a little bit finally the microsoft part of the news new petite potem ntlm relay attack lets

hackers take over windows domains microsoft does release a guidance for mitigating petite potem

ntlm replay attack relay attacks and as of this writing or reading they had not released a patch

but it is just a workaround lock bit ransomware now encrypts windows domains using group policies

checker chinese hackers implant plug x variant on compromised ms exchange servers and lastly

microsoft teams now automatically blocks phishing attempts we'll see how long that actually lasts

and to be fair and balanced apple patches zero day flaw that hackers may have exploited the patch

comes mere days after another update that tackled formal 14 vulnerabilities so that's the news lauro

yeah thanks mike wow gosh you know microsoft said you know hey i you know i want i want to retract

my statement when you ask me at the beginning how am i doing today fantastic you know why guess

who's not in the exploit news this week yeah that uh that sit boy rick from 1981 and his uh t-top

camaro wordpress he's not there this week but i don't tell you who is i'll tell you who it is

yeah i know i had to look twice i was like wait a minute really really there's no

there's no new uh there's any crazy drugged out plugins that he's dating so we got php 7.3 this

is this is pretty interesting right so if you're running php 73 make sure you should be well beyond

eight at this point right but if you've got 73 for some reason look into this because there's

a session upload progress that basically abuses the ability for the session to handle that data

from its source and so you can you can do data injection with this exploit if you can get the

session id i'll say that right so there's there's got to have that missing puzzle piece but if you

can get the session id you can inject arbitrary data with this exploit and to uh detail on

to mike's news newsletter to save the uh the lowest of the group for last microsoft sharepoint

server 2019 if you're still running that please make sure you don't expose it and uh internally

you're going to have remote code execution capabilities with that version so make sure

that you've got that at least patched the latest but if you're running the oh 720 version of it

you're gonna be you're gonna be surprised okay and that's pretty much it for exploitation this week

zach what are we talking about today comic books or well i um beached house i figured we'd talk

about beach towers and it's an important it's an important thing to understand this right this time

of year this time it sure is um big lots lots lots of big sales going on for those want even

more cyber rants be sure to subscribe to the cyber rants podcast get your copy of our best-selling

book cyber rants on amazon today this podcast is brought to you by silent sector the firm dedicated

to building world-class cyber security programs for mid-market and emerging companies across the

us silent sector also provides industry-leading penetration tests and cyber risk assessments

visit silentsector.com and contact us today we need to talk about keeping your data your data

right because that's something that comes up a lot now there are certain organizations that have

things that the data that's basically their competitive advantage right that is their

secret sauce um what they need to protect their intellectual property right their trade

secrets that really keep them ahead and a lot of times their business is based on protecting

that so that's obvious that you know for for obvious reasons um they can't let that out there

um but there are plenty of other companies out there even that don't have that intellectual

property they're worried about but they do have pii phi um they have credit card data those types

of things so they need to keep it internal right they need to keep it where it belongs and there's

lots of ways that data leakage can occur data theft from not only outside the organization but

of course within it the the malicious insiders or the um well-meaning but unknowing

employee right that just compromises or leaks data so let's talk about that and let's start at a at a

strategic or at least like a governance level and talk about what an organization needs to do to

keep their data internal where it's supposed to be how do they need to be thinking

right off the bat mike i mean i so i i mean my first thought would be a data inventory of

the data types that you have where it all exists everywhere and then a data classification document

yeah to determine the you know to basically label those types and the control requirements around

first i think a lot of organizations are data hoarding uh right now yeah very much so um but uh

yeah so so the data inventory i think is important because if you don't know what what types of data

that you have that are vital to your business or that are subject to you know laws and governance

and that sort of thing then it's it's going to be hard to protect it ready to keep it from leaking

so i think the data inventory is probably one of the primary steps you want to make just to

try to figure out where are all the places that data is that sensitive data is going to live

right and so you know it's it's a time-consuming process but i think not only meaningful in the

end and gives a very satisfactory feeling of being able to categorize and manage all your

data very effectively but you know i think it's a necessary i think it's a necessary step for all

organizations to go through because of that data and i think you know mike i know we've

seen places where oh this data sensitive data only lives in this you know oracle database and

in fact it's on sharepoint it's on people's hard drives it's in one drive it's getting replicated

all over the place um you know how that's when it becomes so difficult to keep that data secure and

um from accidentally leaking or you know if we would have called it in the military sometimes

a message right a classified message no yeah and we've seen that all over the place and what's

worse is that oracle server or oracle database that lives on maybe a legacy oracle server that

hasn't been patched in 10 years because no one really uses it it's just data storage right so

yeah up to vulnerabilities and to exposure and yeah just echoing back what you're saying the data

classification is so critical and so many people just don't know what they have where it is and why

they have it or they've lumped everything together you know they've created queries

in their applications where they can pull the classified data or the confidential data but

they they have everything together with the same minimal controls and haven't segregated a property

like you know you with the cde with pci where you have to separate all that out um you should be

doing that for all your data regardless of what kind of compliance requirements that you have

yeah no no certainly and and i don't want to turn this conversation into you know technology

based dlp right because i think you know i'm not saying that's not helpful but i think that there

are foundational things that you need to do as as a business and as a leader first before you

start buying a bunch of fancy tools because they won't help you if you don't understand this like

basic stuff and so i mean like at a minimum well you know i guess at a minimum we see

typically you know at a minimum probably three classifications of data right you'll have your

your public that's consumable from a business perspective out to you know everybody marketing

stuff it's gonna be on your public-facing website that sort of thing and then you're gonna have you

know internal or you know for official use only or business confidential whatever you want to call it

doesn't matter you can call it anything you want what matters is that those are data types that are

specific for just internal communication business you know internal only and then you may have a

third type of highly confidential that may include like what you were talking about zach like trade

secrets maybe you've got some secret sauce that you know does all kinds of cool stuff that you

know serves up you know the focus of your business right to you to your customer base and you don't

want that out or you know you could be holding you know different types of um you know sensitive data

from you know credit card data phi and you'll need to label that out and it's not it's not that one

you need more than one type you just need to understand that there are a separation of the

needs of data how they should be placed and used and who should have access to it and then there

are other types of data that need to be kept um exactly say very very close to the best right

and have very strict access controls but i don't think any of that matters into your inventory yeah

you got to know it got to know what you have right and that's the foundation of every cyber security

framework to begin with not just on the data side but with your technology assets as well yes that

kind of brings us back to that one story that i brought up in the news that of the imminent

software the software malware being 43 of office document downloads from the uh either the web

repository on onedrive chat programs or what have you so now where are you storing that data right

are you storing in a secure location or are you allowing people to store highly confidential data

or confidential data in onedrive and if so how are you securing them do you have the right license uh

the right microsoft live license for one drive to ensure that you have the proper controls so

you can control who can connect that data you can be you can identify what data is being pulled down

and that you can prevent someone from just taking their personal laptop jacking into their one drive

and stealing all your ip or something of that nature and then going on to another company i

don't want to call it data policing because it sounds apparterium but i mean it kind of it kind

of is right i mean you know let's let's just be honest right some of the the users the data users

right the employees they're they're going to be lazy and they're going to you know everybody has

their own way of doing things and they're going to want i don't want to go to the secure one driver i

don't want to go to box and you know download this stuff every time i need to use it or use it online

right i want to be able to have a local copy you know and so this gets this you know this causes

that you know that started data hoarding right where it just gives a domino effect and now you

know if you've got 50 employees you've got you know 5 000 employees you've got all this

you know doing kind of the same same things you know emailing over these reports and

it can get out of hand really quickly mike you shared an article the other day

um and i can't remember the title or the main premise of it but it was talking about

it was talking about employees um and just the the sheer volume of of software that they install on

their own so employees are out there um finding tools and programs online and just using their

own stuff not necessarily company approved because a lot of companies aren't restricting

this they've said something like out of for the average 200 employee company has something like

um like over 200 unauthorized applications in the environment so or unknown just because people use

their own thing and that's that's where your company's data ends up going yeah i mean since

people have moved to the remote working and you know as because of cobit which is why we're

seeing so much data stolen without the oversight of i.t and the control of a centralized land

you have people that have gone out to find their own solutions and you know case in point we had a

client that they needed to solve a problem of moving large data files they didn't bother to

contact iot to how to do it someone found an app online and said oh well this will move large data

files so then they shared it with the entire business unit without any betting any security

around it i mean any looking at it and god only knows what had happened you know we're gonna

have to have a whole podcast about administrative control right because i think that's why i bring

up word i mean that's the reason wordpress is in the exploit news so much because they're creating

you know they allow the creation open source right they allow the creation of all kinds of plugins

right and chrome is chrome is getting that way too right i mean the google chrome store is just

rampant with vermin so you know if you're if you're letting your employees leverage chrome

for you know browser functions simple things like that right that that patching so i mean

this this you know this kind of data protection comes all kind of full circle back to you know

holistic cybersecurity program really right because every little piece helps provide that

protection another protective layer for the data but you can't protect a dang thing unless you know

where it's at right yeah we're talking about those extensions that goes to the old speed of market

thing right i've got this new tool i'm going to open it up so everybody can you know make a part

of it and everybody can develop for it all of a sudden you're developing malware in it as well

as it becomes adopted it begins you know it's a two-edged learner you have to cut that off at some

point where you have to sign code and you have to everything has to go through a specific approval

process whereas you know now it's just you know everybody puts in that puts an app up it slows

business down so far to do that though right we're talking about certification and accreditation now

and business leaders aren't willing to wait i think that's what it is you need to have that very

mature very methodical very emperor emperor's like perspective of we're doing this right it's going

to take a little longer but when it when it rolls it's going to be awesome and i think that's like

the only way to really kind of see those processes through but i think speed to market is just

rampant in the world today well i remember the good old days when you know the real the first

smartphone out there was the blackberry right and everything got routed through a single location

and had editing code any location had to be signed blackberry those phones were also indestructible

which was always nice yeah i mean back in that day i mean there were no breaches of blackberries

because it just wasn't even positive i missed a little scroll ball they had on there it was kind

of cool but yeah blackberry was was a great great you know architecture foundation that yeah that's

a that's a good example i think for a company that did a good job of making that security foundation

yeah but because they didn't open it up they no longer really exist right so it's that two-edged

sword right blackberry was the 800-pound gorilla for the longest time and then all of a sudden

they're gone because apple and google opened everything up so you can develop your own apps

and all that kind of stuff that made it easier to use plus we have data leakage so you uh you know

i think what you're saying is that's a lot of good information start out inventory know what you have

right understand where it is i think um some other things too are the the the staff i think needs

to sign off too that they understand what's what right we have to have that training we

without them basically being being bought in and understanding the why behind all this

um this stuff will will continue you know and then really limiting access being very very specific

on what applications your your users are using seems like that centralized management is missing

in a lot of organizations and people are just letting them you know people are using their own

devices with whatever they want so limiting that is huge what about what are your thoughts on um

like uh data flow diagrams and that sort of thing having more visibility over where this stuff lives

day to day yeah necessary i mean i consider that a step of the data inventory you know what i mean to

do those kind of um you know data data mapping and data flows out as a kind of an output of that data

inventory to kind of understand what applications are processing it and how users are consuming

it but you know things like pcr require that but it's a it's actually a it's a good exercise to go

through and it gives everybody just a completely different level of awareness on how data flies

in the organization anything else on the kind of the high level strategic and governance side any

other considerations or should we dive into some of the specific technology-based configurations

that we can do i just think it's key to build the governance piece at the beginning rather

than trying to bolt it on the back and that's what we see seem to be see is missing in so many people

or something so once you have that let's say you have really really dialed in you understand what

data you have where it lives it's classified uh all these things are in place um and the staff

knows what's coming what about implementing some of the technology solutions you know i mean

um like you know for example blocking thumb drives unless they're authorized company thumb drives or

some of the mdm solutions and stuff out there are there anything are the is there anything

that you think moves the needle on this more than others um when it comes to just data protection

um there's a lot of cool check out now you know i think you know the the original integrity

monitoring and data loss prevention tools were you know from a caffeine and tripwire and places like

that right so now everybody's kind of got into this game so you know if you're out there and

you've moved past this kind of governance hurdle and you kind of understand where your data is

and now you you need to apply role-based access control based on need to know right and so these

tools will help you do that i think the thing that moves the needle the most is again to understand

your your your data entry and exit points that are going to be important so um like you said zach

i think a big one that we see a lot is the thumb drive is completely overlooked no one's using tape

storage you'll see a lot of governance frameworks talking to controls about you know removable media

uh in the form of like you know tapes or drives or something we you know you know we'd go you know

down to and store in the you know the tape room or whatever right for backup um that magnetic media

is starting to you know be a dying tech now i've been even it probably is already dead i haven't

seen i haven't seen a tape silo i don't know it's been using a tape silo mic it's been at least 10

years for me so know that i got a great deal on one four four floppies the other day from amazon

so hopefully it's next week wow i hope so i have so for your sake it's a significant yeah it's a

good that's a good thing to don't stack up on too many of those i'm just saying but anyways yeah

um you know they're they're talking about thumb drives is really what that applies to now you know

most of the cd most of the laptops that come today or you know not going to come with a

cd drive you know that that sort of begin you know sort of again like a dying tech as well

so thumb drives are really going to be the point of origin for removable media and

and having a method to ensure that that's not an exfiltration point for data hoarding

there's a lot of users that i'm i'm a big proponent of offline storage to usb drive

so there's going to be a lot of of your your employees that may also have that like i'm going

to take it home i'm going to put it on thumb drive get some happens i don't trust it they build a bad

operating system load or we're using microsoft and i just need to keep it on a thumb drive right so i

mean there's a lot of good reasons to put your data on a thumb drive but you know if you're a

business you've got sensitive data and you're in this kind of final stage make sure that you've got

um and again great great point zach make sure you've got a way to issue and manage thumb

drives in the organization because i think that's a huge risk factor that it's overlooked by a lot

of organizations that have even been impacted like you know very restrictive rights and are using a

a very modern method of data sharing on like you know box or something like that right or using

um you know microsoft intune to manage data at the mobile device now right where you can

you know ensure that users on their phones can get email but they can download the attachments

right that sort of thing right so there's a lot of cool stuff that's happening but thumb drives i

think are probably one of the bigger risk factors that i think has been kind of overlooked lately

the phones and the laptops i think are the probably the easiest to manage with these with

these techs today so on the flip side of that if t department don't the users an excuse to do that

get with your business unit managers get with your users and tell them find out what their

pain points are and figure out a way around them saying well you guys build garbage so i need to

have a usb drive backup of this you know a lot of the complaints are my laptop isn't backed up

i have a lot of critical data on it well why do you have critical data on your laptop how can we

fix that for you so from the it shop side you need to be able to eliminate those issues ask

those questions and kind of head off at the pass concerns so you don't force them to use the usb

but i totally agree you got to turn off the usb or you should anyway unless there's an absolute

justifiable reason for having it and if so then issue usbs but you know one of the things that you

have to make crystal clear which is astonishing even in this day and age if you find a usb drive

don't plug it in it's just simple concept but people still do oh people still do but

yeah that's the drop drive is still a very viable method to get somebody to especially if you put a

label on there it was just like you know like pics of the picks from vegas yeah i mean right

that's all you got to put on it because i'm like ooh picks from vegas but you know i'm going to get

a drop i'm going to get a burner laptop i'm going to find out i'm like oh this is a great malware

um do you think it's a burner laptop anyways yeah you got to test that stuff out the right way

um but there's a lot of cool tools out there right and so from a tech perspective what i would

suggest to it teams is look at the subscriptions you're paying for today right i mean a lot a

lot of organizations are microsoft shop right so microsoft intune is kind of a new thing for them

um that's kind of being proliferated about it does a good job of mobile device management everybody's

already integrated into microsoft's you know um you know one login um 80 piece right so it's

it's kind of um it works well i'm not saying it's without flaw right because it's microsoft

um so keep that in mind but what i will say is that you're not gonna

it's not gonna be like putting in a whole new technology to do this right it's just

it's an enablement inside of a subscription you already have so i'd say look there first

um for for thumb drive control there's you know there's going to be a lot of programs i would

look to your endpoint management solution that you're using so if you're using like a

sofos or a carbon black look to see if they offer a lot of these um epps are offering

the capability to control that white listed thumb drive port right um and then you can also just be

like a good engineer and you can go in and you can disable those ports right at the os layer if

you just say nobody needs to use a usb drive ever there's not a reason for it we have too much you

know technological capability to not you know need this then just go in and make the configuration in

your gold image and you don't have to worry about buying attack failing that you can use super glue

yeah did i tell you about the commercial that i wanted to do for us where it was just like this

this like cyber criminal right he he does all the social engineering and he gets into the data

center right and so he's got his thumb drive and he's in the data center and he snuck past all the

lasers and all the infrared and all the floor sensors he's like actually at the server rack

and he's about to plug in his thumb drive right to inject this malware into this massive database

right that's super computer giant's got lights that are flickering on it right looks like

something out of star wars anyways and he goes and he he gets to the usb drive and he looks

and he realizes that the thumb drive won't go in as he looks closer and the camera focuses

there's like a little wire mesh cage over the thumb drive and it says silent sector was here

and it's like all bolted in so there's no way to physically insert it and he's like

got this look on his face you know like watch people die inside and then the police come and

arrest him of course right now i think i think i think we end it with him like sitting at the diner

like sipping a cup of coffee in his little his uniform you know just kind of like sad

that's a good one well we'll uh know that we'll have to make that oh one thing that

we also need to you need to look at when it comes to uh controlling what happens on your

devices you've got intune you've got onedrive's ad you have native ad like local on-prem ad you

have hybrid models you need to really research what active directory model will work for you

if you're going to deploy gpos because in a lot of cases those mic microsoft has not fully baked out

that whole solution um each one has parts that are valuable so you need to be able to look at active

directory from that perspective for gpo management and see which what will actually satisfy your

needs and make sure you have the right license for o365 and onedrive oh yeah and if you're

if you're not a microsoft shop there's other tools to help you too right to do this sort of

localhost 80 management or jumpcloud's one of them um that we see you know be very successful right

there's there's other ones so do your research but um they will allow you local you know security

group control with with one agent which is really cool and you can do the thumb drive lockout and

you know you can control the host just like you can in ad well excellent information any

final thoughts we're running out of time here any anything words of wisdom before we wrap up

don't be a data hoarder yeah definitely when you get into the petabytes you got a problem

there's like gambling addictions there's drug addictions and there's data addictions

and you know your business might be addicted to garbling up and proliferating unnecessarily

data well you you have to maintain a farm of mainframes because you've got data from the 70s

you got a problem so let it go man just let it go just let it go that's right

thank you 83 vet sitting in the garage you're never going to work on it just let it go well

thank you everybody for joining hope you learned something today hope this information helps you

in your careers and your endeavors and by all means reach out if you have questions

any requests for topics anything like that make sure you subscribe to the podcast

we will see you next week

Episode #37 Keeping Your Data.. Your Data

Send Us Your Questions & Rants!

Categories

Archives

Transcript