A while back during an InfoSec discussion, someone asked me a question regarding bypassing network security. I fondly recalled my Social Engineering Specialist shirt I purchased in 2006 from Jinx, the phrase “Because there is no patch for human stupidity” emblazoned on the back for all the admire. My answer followed the shirt’s message; not to probe perimeters but to probe bad user habits, and for most that answer rings more true than building a GPU rig to run collision attacks on SHA-1. We’re now reading about Michael Best’s discovery of leaked user IPs from Cryptome. How were the source IP’s of some of the more security conscious users leaked? They were accidentally included with the sites content in a USB file sent to Michael Best for addition to archive.org… by Cryptome themselves. Awesome.
I have two things to say, A) nice work Michael and B) to the Cryptome people, don’t shoot the messenger, instead thank him and figure out how not to do it again. Why do I bring this all up? Our industry is so focused on perimeter security and external attack vectors, we let our users run around internal networks like an unmonitored playground. It’s all fun and games until Timmy accidentally downloads sensitive client data to an excel spreadsheet to work from home and leaves his laptop at Starbucks. We have a great history of lost laptops having SSN, banking, and other whatnot’s to fill any security team’s compendium of horror.
I remember a cloud migration my cohort was auditing to ensure HIPAA compliance. The CISO was super concerned with the clouds perceived insecurity and questioned every decision made. My friend was brought into these arguments late in the game and decided to display the ACL for the internal data at rest. By using Distribution Lists as Security Groups within Active Directory (as an exchange admin I cringe just writing that sentence), several managers had inadvertently given multiple external contractors and unpaid interns access not only to corporate financial data but to much more sensitive client data too. Apparently, the CISO went ballistic and the following project after migration was an ACL overhaul and segregation of all Dist/Sec lists in AD. Ouch.
Why we still talk about this subject is frustrating because there are measures to prevent or compartmentalize accidental data leak risk. In the case of Cryptome, how are the IP connections logged against the dataset? Can they be split? Do they need to live within the same database/table? Once the query or files identified are grabbed, is anyone inspecting the outbound information? With a smaller operation like Crytome, one could see where a slipup could occur, but larger enterprises have the same risk and can’t rely on the same excuses.
Why oh why do non-elevated priv users have SQL access to perform their own queries?
Why oh why do we copy user security permissions for ease of administration and accidentally grant access to intellectual property to a vendor?
WHY OH WHY do users think it’s acceptable to give a vendor their credentials because it’s too much of a delay to go through proper channels to create a vendor account?
We’ll never get rid bad user habits so it’s up to InfoSec and Operations to properly isolate applications and the data they access to protect and minimize damages when these accidents happen. Prevention is only helpful when enacted prior to an incident, after that, it’s simply damage control. Please protect your data, and protect your users from themselves.