In our last blog on tackling the broad topic of how do I protect my company’s sensitive information, we reviewed several ways to get started with this process. Before you can protect your sensitive data or “crown jewels”, you’ve got to know what you have and where it lives. We covered creating an asset inventory for your data and then creating a policy to classify that data. Now based on that classification, we can start determining what kinds of protections or security controls we’re going to implement to do the heavy lifting of preventing unauthorized access. We’re going to cover some of the biggies here, but don’t think that this is an exhaustive list or a one-size fits all prescription. Each organization is different, we just want to give you some things to consider.
So this probably seems like an obvious element of data confidentiality, but there might be some aspects you’re not considering. Full-disk encryption of mobile assets and removable hard drives is a good place to start, but that’s only going to help data-at-rest on those devices in the case of a theft or loss. Here are some other things to watch out for:
- Transport Encryption – Make sure that your confidential information and the credentials used to access that data are encrypted at all points of transmission, both in and out of it’s resting place. This includes internally (are files being moved around via unencrypted FTP?) and those entering/leaving the perimeter (our third-party vendor sends me a spreadsheet of this data every month…).
- Password Managers – This may seem unrelated at first, but stay with me here. During a penetration test (or an actual compromise for that matter), the attacker is going to find an initial point of compromise and then attempt to move laterally in your environment. One of the easiest ways to do this is to gather credentials stored improperly in the environment. This may be on an Excel spreadsheet on a desktop, a Word document in a file share that the “Everyone” group can access, or stored in their Chrome browser. Eventually, if you follow enough of these access trails, odds are that one will lead to some kind of sensitive data. To combat that, consider an enterprise-wide password manager that keeps these credentials encrypted and some training to help your users understand how to properly store passwords.
- Back-ups – Protect your back-ups! Encrypt them at rest, restrict access to them, etc. Too many times, I’ve encountered an environment where the “crown jewels” are adequately secured but the back-up files containing that data are completely neglected. These are as valuable to an attacker as the actual data in most cases, and should be protected with the same level of security controls as the primary data.
This ad hoc list is not in priority order, so don’t think that data encryption is any more important than controlling access. This control is where you’re going to apply the principle of least privilege to who can legitimately get to all your sensitive information. This takes many forms, including:
- File Shares – Check all your organizational file shares (especially the ones containing sensitive data based on your data inventory) and make sure that the least number of users have access. Make sure the “Everyone” group or the “Authenticated Users” group isn’t in there. Then once you’ve baselined, perform regular verification checks to avoid permission creep.
- Users SHOULD NOT be local administrators – This is tangential to securing your organization’s sensitive data directly, but if users are a member of the local administrators group on their own system, it will only be a matter of time before an attacker can pivot through your environment and find the access or data they need. While you’re at it, deploy Microsoft’s Local Administrator Password Solution (LAPS) to randomize the local admin password and prevent pass-the-hash attacks.
- Increase your password policy – We’ll continue beating this drum until organization’s increase their minimum password baseline. Microsoft has recently (within the past year) increased the password length that can be enforced via GPO to 20 characters. So consider helping users migrate to a passphrase (longer password usually consisting of a sentence or phrase) to better protect from unauthorized access.
- Multi-Factor Authentication – For most organizations, sensitive data resides on systems, applications, and network locations that are protected by authentication of some kind. The best way to prevent unauthorized access is to use multi-factor authentication with a token, soft token, phone, biometric, etc. The choice of what to use is an organizational decision based on use cases, budget, compatibility, etc. But any MFA is better than none.
The Human Element
All the technical controls in the world won’t prevent a malicious insider or an ignorant user from disclosing your sensitive data in one way or another. There are some additional activities that can help communicate to your users how important these data sets are to your organization and provide them some high level “dos and donts”.
- Security Awareness Training – Make sure your training program includes information on the data classification program, such as what your organization considers sensitive, how that information should be protected, and some common ways to protect that data. The more your users know the better, preventing a slip or exposure based on inexperience or ignorance, such as sending data through email or outside the organization to a third-party (maybe via a social engineering attack).
- Data Loss Prevention – The effectiveness of DLP solutions hinges on the type of data you are trying to detect and the rules you put in place to monitor the data. But with proper care and feeding, they can be an effective preventive and detective control to stop sensitive data from leaving the organization, via removable device or email. This can help combat the malicious insider aspect and the accidental attachment scenarios.
- Content Filtering – Using a strict outbound content filter for your organization’s outbound web traffic can prevent users from going to bad places on the Internet. Those bad places should generally include third-party document sharing sites such as Google Drive and Dropbox to help prevent the easy or unknowing exfiltration of data.
We’ve highlight a total of ten broad security controls for your consideration when thinking about to protect sensitive data in your organization. Hopefully, you can take these ideas and incorporate them into strategic security plans or mentally check the box that you are handling things appropriately. If you’ve got questions or are interested in getting some more detail about these controls, don’t hesitate to reach out to us.