Danny Bradbury explores why not all data security threats are of a cyber-nature
Ransomware threats are rising, hackers are lurking inside enterprise networks and zero-day flaws are rendering systems vulnerable. Faced with a blinding array of cybersecurity threats, it’s easy to forget the less visible dangers. Companies that focus purely on protecting themselves from online hackers take note: not all data security threats come via the net.
Non-cyber threats, from mislaid paper-based documents to non-digital social engineering, are just as dangerous as network-borne ones. Mike Weber, vice-president of innovation at cyber-risk management and pen testing consultancy Coalfire, encounters both types on a daily basis. He draws a distinction between information security and cybersecurity.
“Information security is more about the data than it is about the technology, whereas cybersecurity focuses primarily on the technology,” he says. Securing online systems is important, but only part of the data security story. Security pros must ensure that information doesn’t leak out through other channels.
These other channels span multiple aspects of an organization’s operation, including its operating procedures and the people who follow them (or don’t). Some of these weaknesses and the breaches that they cause are accidental, and some aren’t.
The accidental weaknesses are both common and depressingly simple. Errors were causal events in 21% of breaches, according to the 2019 Verizon Data Breach Incident Report (DBIR). Of those, 37% were down to misdelivery of information, via documents misaddressed in the mail, or via emails addressed to the wrong people thanks to supposedly helpful technologies like email address auto completion.
Lance Spitzner, director of research and security at security training company the SANS Institute, says that the COVID-19 pandemic increases the risks of errors like these. “People working remotely at home now are far more likely to have their personal and work contact lists combined,” he warns.
"Not all data security threats come via the net"
In the UK, data emailed to the wrong recipient accounted for nearly an eighth (12%) of non-cyber errors in Q3 2019 handled by the Information Commissioner’s Office (ICO). Not using BCC (and so sending data to the correct recipient along with lots of other inappropriate people) accounted for a further 3%.
Many organizations are still stuck in paper-based workflows which are just as dangerous, warns Von Welch, executive director for cybersecurity innovation at Indiana University and the director of its Center for Applied Cybersecurity Research (CACR).
“The healthcare sector in particular still faxes a lot of things around, and I’ve dealt with more than one situation where somebody faxed things to the wrong place,” he warns. Posting or faxing the wrong information accounted for 13% of non-cyber data breaches across all sectors in the UK, according to the ICO.
The second most prevalent error in the DBIR was accidental publishing, as typified by the slew of accidental cloud database exposures that have leaked millions of personal records online. This is counted as non-cyber because while the data is exposed via the cloud, a human operator is the risk vector.
Accidental Exposures Are Dangerous
Accidental exposures like these don’t have to be exploited to represent a material threat to an organization, points out Spitzner’s colleague, SANS Institute chief of mission James Yacone. It’s just that the threat model is different.
The former FBI deputy director gives the example of a hospital sending sensitive information to five inappropriate people. The hospital would contact those people and ask them to delete the missent data. “If four come back and say, ‘yes we destroyed it’ but the fifth one never responds, then the hospital has to go public and that’s a breach,” he says. “Now you have breach fines and all sorts of big costs.”
Accidental risks extend to device mismanagement. This includes copying unencrypted data to removable storage and then losing it outside the office, although these incidents are less common at just 5% of non-cyber-based breaches, according to the ICO. Laptop loss or theft is another potential problem.
Here’s where technology can play a part, says Cameron Bulanda, security engineer at the Infosec Institute. “Access control is probably the biggest means of preventing the loss of crucial data when it comes to those types of physical assets in the real world,” he says. Other protective measures include full-disk encryption, and he advises companies to use multi-factor authentication to help protect devices outside the office.
The non-cyber risks extend to the end of the device lifecycle. Welch highlights inadequate disposal as another area to watch. This barely registered on the ICO’s scale, but amounted to 14% of breaches in the DBIR. Not properly wiping devices before selling or scrapping them is the primary issue, but Welch pointed to some novel risks including syncing Bluetooth phones to rental cars and failing to scrub contact and other data when handing them back.
Hacking People and Processes
Human error isn’t just a problem when managing devices, points out Welch; it’s also an opportunity for targeted attacks as criminals exploit human weaknesses through social engineering. One of the biggest non-cyber threats is when attackers identify a weak spot in a company’s financial management processes, and use it to fool someone into sending money to a fraudulent account.
“One of the things that we do in my group is have double checks on anything over a certain amount,” Welch explains. The trick is to balance risk with practicality. “You don’t want to do that for every nickel and dime thing that you’re doing or your business will grind to a halt.”
This rethinking of business processes should be wider than mere financial management, covering issues such as the flow of information throughout the company, along with where and how it should be stored. That applies to both paper and digital documents, say experts.
"Human error isn’t just a problem when managing devices, it’s also an opportunity for targeted attacks"
Companies should categorize documents by their content and ensure that sensitive paper files go to the shredder, not intact to the dumpster. Bulanda recommends classification of digital files (you can embed metadata in the documents, often automatically, at source), combined with access controls and permissions, to stop people printing and distributing the wrong things. Just as paper requires a clean desk policy, bits and bytes require a clean hard drive policy.
Don’t stop at data, warn experts, arguing that shortcomings in physical security can render a company’s data and systems vulnerable. For example, COVID-19 has resulted in a lot of full shred bins in empty offices across the country, warns Coalfire’s Weber.
Physical Security
He adds that even physical office design plays a part. Positioning desks for visibility, designing office areas with differing levels of security and putting proper access points between them are all measures that can make or break a company’s security. He warns that social engineers can subvert physical security systems like badge-based access.
He recalls an infosecurity professional he knew that got a new job and posted a picture of his badge on social media. “It was quite comical. Thank you very much for the OPSEC leak. So now I can print a badge and walk into your facility,” Weber says.
A good social engineer would be able to get by without swiping the badge or have anyone inspect it, he adds. “When someone is tailgating an employee into a building, they’re not going to specifically request them to swipe their card if they can see they have that card on their body somewhere.”
That’s what’s known as a blended attack, Weber explains. It combines exploits that may be less effective on their own (copying a badge and tailgating someone into a building) but highly effective in concert.
Attackers can also use non-cyber weaknesses with network-borne attack techniques to good effect. Someone dumpster diving a CFO’s recycling at home might find company documents with information that could help them to make a targeted phishing attack on a colleague more convincing.
Protecting against these threats needs systems spanning non-cyber elements from information flow through to chains of command and physical design. Don’t underestimate the importance of a diverse team when creating one, warns Carol J Smith, senior research scientist in human-machine interaction at Carnegie Mellon University’s Software Engineering Institute, an adjunct instructor for CMUs Human-Computer Interaction Institute (HCII), and a member of the Association for Computing Machinery. When designing information security systems, be sure that there are enough different perspectives on the team to identify as many potential weak spots as possible, and avoid groupthink.
“A lack of diversity in the team often leads to loopholes that people just aren’t aware of,” she warns. “They haven’t been speculative enough, they haven’t been curious enough to really examine all the potential loopholes that may be created in the system.”
"A lack of diversity in the team often leads to loopholes that people just aren’t aware of"
A robust security policy will reinforce best practice across your organization, but the hard work is communicating it simply, warns the SANS Institute’s Spitzner. “The problem is firstly that the employees don’t know it, or if they do know, it’s complex, confusing, and overwhelming because security ‘geeks’ develop the process,” he says.
Non-cyber risks needn’t lay your company low, but countering them takes both attention to detail and the kind of end-to-end approach that entails a high-level view. Unlike a firewall configuration or a software patch, it isn’t a simple step-by-step process, but for truly robust protection, it must be a foundational part of your security thinking.