Earlier this week, Keith Ng blogged about a massive security hole in the New Zealand Ministry of Social Development’s (MSD) network. He was able to walk up to a public kiosk in the Work and Income office and—without cracking a password or planting a Trojan—immediately gain access to thousands upon thousands of sensitive files.
How sensitive, you ask? Among other things, Ng could browse, read, and modify:
- Invoices and other financial data
- Call system logs
- Files linking children to medical prescriptions
- Identities of children in special needs programs
How did this happen?
Well, there are two possibilities:
1. The kiosks were logged in with an administrative account (e.g., Domain Admin) with full access to all data on the network
2. The kiosks were logged in with a “normal” account, but the file shares were incorrectly permissioned, allowing global access
I find it very hard to believe that the kiosks were logged in as administrators, but we can’t rule it out. The latter cause, broken/excessive permissions, is actually a very common problem that we address with organizations literally every week at Varonis.
What could have been done to prevent it?
Unplugging the kiosks is only step 1. The kiosks aren’t the issue. There are much bigger information governance problems at the heart of this data leak.
Here are some tips that will help address the root cause, not just the catalyst:
1. Locate exposed, sensitive data
- Use a data classification framework to scan your file servers and determine where your most sensitive content lives, and where it is exposed to too many people
Once you’ve located the sensitive stuff, make sure only the right people have access, and then monitor activity on that sensitive data to make sure that authorized users aren’t abusing their access.
If I’m a CSO, I want a solution that tells me at any given time exactly where all my sensitive data is, where it is over-exposed, and who is accessing it. If someone creates a file with a social security number or patient ID and plops it onto a public share that a kiosk can see, I want my team to be alerted automatically.
2. Identify and remove global access groups from ACLs
- Figure out where “Everyone” or “Authenticated Users” appears on ACLs and remove them
This can be tough because a.) it’s not trivial to crawl every ACL on every file server or NAS device looking for “Everyone” and b.) you have to pull global access without cutting off people who really need the data.
3. Watch your super users
- Setup alerts for whenever someone is granted super user/administrator privileges
- Periodically review the list of people who have privileged access
- Review your audit trail to see what super users are doing with their elevated rights
Even if the kiosks were mistakenly setup to run under a super user account, if MSD were reviewing access activity they likely would have noticed an inordinate amount of super user activity from the public kiosks’ IP addresses.
4. Assign and involve data owners
- Access to children’s medical records, for instance, should be granted and reviewed not by IT, but by the business unit that is responsible for managing patients (e.g., a medical director).
By transferring this responsibility to the people who are most equipped to make access control decisions (i.e. data owners), not only do you end up with better decisions, but you also relieve some of the burden on IT.
How hard can it be?
Many of the comments on Ng’s posts were along the lines of “Rookie mistake!” or “Security 101!” I assure you, information governance is much harder than people think, especially in an age where data is somewhat of a contagion, being created and replicated at such a staggering pace.
To these commenters, I’d like to propose a simple question: without an automated solution, how would MSD’s IT department know which folders were mistakenly open to everyone?
It takes one frustrated person 30 seconds to add “Everyone” to an ACL, but it could take years to find and correct that access control failure. Worse yet, once found, how do you know whether the over-exposed data was stolen by someone who isn’t as harmless as Keith Ng?
That’s the question New Zealand’s government is facing right now.
What is the state of your data protection?