Double Your Threat Blocking in 90 Days
By Picus Labs • August 09, 2023, 17 min read
In today's rapidly evolving digital landscape, we rely heavily on data. It has become an invaluable resource, whether personal information, business intelligence, or sensitive governmental data. However, as data becomes increasingly vital to our daily lives and operations, protecting it from unauthorized access or exposure has become more challenging.
This blog post discusses data leakage and explores its different types - physical exposure, malicious insider activity, and accidental leakage. We share some notable examples demonstrating how simple mistakes or oversights can lead to severe consequences. We also compare data leakage with concepts like data breach and exfiltration to help you better understand these concepts.
Data leakage is the unintentional exposure of sensitive data either in transit, at rest, or in use. This often occurs due to oversight, errors, or negligent actions within an organization, resulting in the availability of the data to unauthorized individuals or entities.
There are three main types of data leakage cases.
Physical exposure pertains to the potential vulnerability of data stored on physical devices, such as hard drives or USB drives, which aren't securely stored or handled. When such devices, containing confidential information, are left unattended, they pose a risk of data being accessed, copied, or stolen, either unintentionally or through deliberate actions.
Consider this instance of physical exposure leading to a significant data leak.
In 2019, a laptop containing confidential data of over 25 million Capital One credit card customers was left unattended at a coffee shop in the United States . This laptop was stolen by an unidentified individual, who subsequently accessed the sensitive data and sold it on the dark web. The exposed data included names, addresses, Social Security numbers, and credit card numbers. This data breach impacted customers in the United States, Canada, and the United Kingdom.
For this data breach, Capital One was penalized $80 million by the Federal Trade Commission (FTC). The FTC determined that Capital One hadn't taken reasonable measures to safeguard the sensitive data on the laptop. This case underscores the significance of physical security. Organizations should implement measures to protect sensitive data from physical exposure.
Data leakage by a malicious insider refers to the unauthorized release or distribution of sensitive or confidential information by an individual who has or had legitimate access to that data within an organization. This could be a current or former employee, a contractor, a business partner, or any other insider who has been given access to the organization's data.
Here is an example of a malicious insider causing a significant data leakage.
In 2006, an employee of the US Department of Veterans Affairs (VA) was caught stealing sensitive data on over 26 million veterans . The employee had been working for the VA for over 10 years and had access to a wide range of sensitive data, including names, addresses, Social Security numbers, and medical records.
The employee was motivated to steal the data by financial gain. He had been struggling with financial problems for some time and was looking for a way to make some quick money. He planned to sell the data to a third party on the dark web. The employee was caught after he was found trying to sell the data to an undercover FBI agent. He was arrested and charged with theft of government property and unauthorized access to a protected computer.
This case is a reminder of the importance of data security. Even trusted employees can be malicious insiders. Organizations should take steps to protect their data from insider threats, such as by implementing strong access controls and employee background checks.
Accidental leakage refers to inadvertent data breaches that primarily occur due to human mistakes or negligence. Common instances of accidental leakage include employees mistakenly dispatching emails containing proprietary or confidential information to incorrect recipients, or flaws in internal security protocols that provide excessive permissions to sensitive files. Additionally, this can also happen when potential vulnerabilities in software applications are not promptly patched or updated, leading to inadvertent exposure of critical data.
Examples of these types of data leakage incidents will be provided later in this blog.
There are six primary causes of data leakage within an organizational environment.
Misconfigurations are one of the key causes of data leakage, typically referring to improper setups in databases, servers, networks, or cloud storage, resulting in unauthorized data exposure. This can result from improperly set access controls, known as permission errors, which inadvertently give unapproved users access to sensitive data.
Similarly, inadequate network security settings can compromise data encryption or leave devices containing sensitive data exposed online. The risks extend to systems' default settings, which, if left unchanged, can prove insecure. For example, weak default passwords or open access permissions can facilitate unauthorized data access. Significant risks also lie in the realm of cloud storage, where improper configurations can result in publicly accessible storage or insufficient access controls.
Phishing and Social Engineering
Phishing (ATT&CK T1566) and other social engineering attacks are deceptive techniques attackers use to trick individuals into sharing sensitive information like login credentials, personal data, or any data that can be leveraged to perform an attack in the hands of an adversary.
Phishing usually involves seemingly trustworthy electronic communications, like emails or text messages, that prompt users to enter their information on a fake but convincing-looking website.
Social engineering goes a step further, exploiting human psychology to trick users into breaking security protocols, often via impersonation or manipulation. These methods are prevalent because of the human factor - even with the best technical defenses, people can still be tricked into giving away critical information.
Weak Password Practices
Poor password practices, such as using simple, easy-to-guess passwords, using the same password across multiple accounts, or sharing passwords with others, significantly increase the risk of unauthorized access to sensitive data.
Attackers often use automated tools to guess passwords, and if a password is weak or widely used, the likelihood of a successful guess is high. Additionally, if one account with a reused password is compromised, all others are also at risk.
Loss or Theft of Devices
Mobile devices like laptops, smartphones, and tablets often store or have access to sensitive data. If these devices are lost or stolen, and they're not adequately secured (for instance, via encryption or strong access controls), unauthorized individuals may access the data. Additionally, portable storage devices like USB drives can also be a significant risk if they're lost or stolen.
Unpatched Software Vulnerabilities
Software vendors routinely release updates to fix known vulnerabilities in their products. If these updates, or patches, are not promptly applied, attackers can exploit these vulnerabilities to gain unauthorized access to systems and data. This is particularly concerning with so-called "zero-day" vulnerabilities, where the time between the vulnerability's discovery and the first attack exploiting it is extremely short, giving organizations little time to react.
Inadequate Management of Legacy or Old Data
Organizations often accumulate vast amounts of data over time, including data from legacy systems that might not be in active use. If not properly managed, this old data can be exposed inadvertently or be more susceptible to breaches due to outdated security measures.
For instance, data might be stored on outdated systems with known vulnerabilities, or old databases might be unintentionally left accessible when systems are upgraded or replaced. Mismanagement of old data can also lead to non-compliance with data protection regulations, which often require old data to be deleted when it's no longer needed.
Here are a few notable instances of data breaches.
Example 1: Data leakage caused by a typo
It was reported in 2023 that millions of sensitive US military emails were sent to the wrong address because of a typo over ten years. The emails were intended for the US military's ".mil" domain, but they were accidentally sent to the ".ml" domain, which is the domain for Mali, a West African country .
The typo was apparently caused by the fact that the ".mil" and ".ml" domains are very similar. The only difference is that the ".mil" domain has one more letter than the ".ml" domain. This small difference was enough to cause millions of emails to be sent to the wrong address. The emails that were sent to the wrong address contained sensitive information, such as passwords, medical records, and the itineraries of top officers. This information could have been used by hostile actors to harm the US military.
The Pentagon said that it had taken steps to address the issue, such as blocking emails from being sent to the ".ml" domain. However, it is possible that some emails may have still been sent to the wrong address.
This case is a reminder of the importance of data security. Even a small typo can have a big impact, especially when it comes to sensitive information. Organizations should take steps to protect their data from human error, such as by using spell checkers and double-checking addresses before sending emails.
Example 2: Cloud Misconfiguration
In March 2023, the U.S. The Department of Defense accidentally leaked thousands of sensitive military emails due to a misconfigured email server on the Microsoft Azure government cloud . This service, which is separate from the Azure commercial cloud services, exposed three terabytes of internal emails from the U.S. Special Operations Command for two weeks. The emails were accessible to anyone with knowledge of the IP address and internet access, and contained sensitive information, including personal and health information required for security clearance.
Despite this, the Department of Defense and Microsoft were unaware of the data leakage for two weeks. The cause of the exposure is unclear, but sources suggest human error may be to blame. The incident raised concerns about the Pentagon's increasing use of cloud services, as well as the risks of human error in configuring and managing these services.
Example 3: Cloud Misconfiguration Caused by a Third Party Contractor
In November 2017, a misconfigured Amazon S3 bucket inadvertently exposed the personally identifiable information (PII) of 48,270 employees working in various Australian organizations, including government agencies, banks, and a utility company . This compromised data included names, passwords, IDs, contact details, and some credit card numbers, in addition to salary and expense information.
Several organizations were affected, including insurance company AMP (25,000 staff records), utility company UGL (17,000 records), the Australian Department of Finance (3,000 records), the Australian Electoral Commission (1,470 records), the National Disability Insurance Agency, and Rabobank (1,500 employees).
Upon discovering the situation, the Australian Cyber Security Centre (ACSC) swiftly worked with the external contractor responsible for the misconfiguration to secure the information and rectify the vulnerability. The incident appeared to be the result of the third-party contractor failing to adequately secure the web service, rather than any malicious activity.
Data leakage and data breach are two distinct occurrences related to an unwanted disclosure of data.
A data leak refers to an event where sensitive material is accidentally exposed or mishandled within or out of the organization, typically due to internal triggers like software misconfigurations or overlooked vulnerabilities. Leaks can also occur through physical mediums like lost storage devices.
Conversely, a data breach occurs when external entities intentionally bypass security measures and access protected data without authorization. It's primarily a result of cyberattacks intended to infiltrate systems, often involving activities like phishing, malware implantation, or exploiting system vulnerabilities.
In essence, the main distinction boils down to intent and origin. Leakages often stem from accidental internal discrepancies, whereas breaches are deliberate acts typically externally initiated. Nonetheless, both events lead to the same damaging outcome - the compromise of sensitive data.
Data exfiltration and data leakage are two terms commonly used in the field of cybersecurity, and while they may appear similar, they refer to distinctly different events.
Data Exfiltration refers to the unauthorized transfer of data from within an organization to an external destination or recipient. It can be carried out using various techniques and is often associated with cyber attacks or insider threats. Data exfiltration is usually a deliberate act aimed at stealing sensitive or confidential information. This can include intellectual properties, customer information, financial data, or any other types of data that could be of value.
On the other hand, Data Leakage refers to the unintentional or accidental release or exposure of sensitive data from within an organization. This can occur due to various reasons, such as human error, system vulnerabilities, or lack of secure procedures in handling sensitive data. While data leakage may sometimes be a result of malicious activities, it is often not a deliberate act.
The primary difference between these two events lies in intent and method. Data exfiltration is a deliberate act of extracting data without authorization, often involving sophisticated techniques to remain undetected. In contrast, data leakage is usually unintentional and happens due to insufficient security measures, negligence, or accidents.
There are five main precautions that you can take to protect your organizations from data leakage.
Access control is one of the most effective methods to prevent data leakage, as it ensures that only authorized users can access certain information. This reduces the potential exposure of sensitive data to malicious actors or unauthorized individuals.
To highlight the efficacy of access control in preventing data leaks, let's consider the 2017 data leakage incident involving the Republican National Committee (RNC) . The RNC engaged a data analytics firm, Deep Root Analytics, to gather information about millions of American voters. This sensitive information was stored on an unsecured Amazon S3 bucket and was unintentionally made public, leaking personal details of nearly 200 million American citizens.
In this case, access control could have played a significant role in preventing the data leakage. The S3 bucket storing the sensitive information was misconfigured and set to "public" rather than "private." If access control measures had been properly implemented, the information would have been accessible only to authorized individuals or systems.
Amazon S3 provides robust access control mechanisms, including bucket policies and Access Control Lists (ACLs), which can restrict access to the bucket or even individual objects within the bucket. Moreover, the use of identity and access management (IAM) roles can ensure that only certain roles within the organization have the necessary permissions to access or modify the data.
Monitoring the Security Posture of Third-Party Vendors
Continuously monitor your vendors' security practices to ensure they're maintaining proper security standards. This can be facilitated through security scoring, providing a quantifiable measure of a vendor's security performance. Combining these strategies will create a robust defense against data leakage.
Encrypting the Sensitive Data
Encrypting sensitive data is one of the measures in the prevention of data leakage. When data is encrypted, it's transformed into an unreadable format, a process which can only be reversed using an encryption key. This creates a significant barrier for unauthorized individuals seeking to access the information, as the data is useless without the decryption key.
However, it's important to note that encryption is not a silver bullet for data leakage prevention. Skilled hackers with enough resources and time may still manage to decrypt the data without the key. Therefore, while encryption significantly improves the security of data, it should be used as part of a broader, multi-layered approach to data protection. Other prevention strategies should include monitoring network activity and ensuring endpoint security.
Conducting Security Audits
Regular security audits play a crucial role in data leakage prevention by proactively identifying and addressing internal issues that could lead to accidental data exposure within an organization. These audits involve comprehensive assessments of an organization's security infrastructure, processes, and practices to ensure data protection and compliance with relevant regulations.
During security audits, potential vulnerabilities in software, networks, and systems are identified and rectified promptly. Misconfigurations, weak access controls, and other security gaps are addressed, reducing the risk of unauthorized data access. By regularly evaluating and updating security measures, organizations can significantly reduce the likelihood of accidental data leakage.
A Data Leakage Prevention (DLP) Policy is a framework that guides an organization's efforts to prevent the unauthorized access, use, disclosure, disruption, modification, or destruction of sensitive information. This policy includes identifying sensitive data, monitoring its use and movement, and preventing unauthorized access or sharing. It keeps sensitive data, such as personally identifiable information (PII), protected health information (PHI), and intellectual property, safe from cyber threats.
Key points to consider in a DLP policy:
Identification of Sensitive Data: A DLP policy begins with the identification of data that requires protection. This may include customer information, financial data, employee records, or intellectual property.
Monitoring and Protecting Sensitive Data: After sensitive data is identified, the policy defines how this data should be monitored and protected. This may include the use of DLP software that can classify and isolate policy violations, and remediate them with encryption, alerts, and other measures.
Compliance: A key part of any DLP policy is ensuring compliance with relevant industry regulations. For instance, healthcare organizations need to comply with HIPAA rules, financial institutions with PCI DLP standards, and any company dealing with personal data of EU citizens must adhere to GDPR.
Best Practices for DLP Policy Creation: Best practices for creating a successful DLP policy include involving leadership, educating the workforce, specifying roles, and using metrics to measure success.
DLP Policy Templates: Many DLP tools offer templates to help organizations quickly establish effective DLP policies. These templates can be customized based on the unique needs of the organization.
Here are four open source data loss prevention tools.
MyDLP is a comprehensive, open-source data loss prevention (DLP) solution, protecting sensitive data such as credit card numbers, passwords, and personal health information. It monitors data in motion, at rest, and in use, allowing for custom policy creation. Suitable for organizations of all sizes, MyDLP is easy to install, configure, and doesn't demand extensive system resources.
OpenDLP is a free, open-source data loss prevention tool, useful for scanning files for sensitive data and preventing exfiltration. Compatible with Windows and Linux systems, it uses regular expressions to locate sensitive data and allows custom profiles for data protection. OpenDLP prevents exfiltration by blocking transfers or encrypting files. It's a suitable option for organizations needing a lightweight, easy-to-install DLP tool that doesn't consume extensive system resources.
DLP4Linux is a dedicated data loss prevention tool designed for Linux systems. This open-source solution aids organizations in identifying and protecting sensitive information residing on or passing through their Linux-based systems. It's equipped with advanced data detection mechanisms that scan various file types for sensitive content. With its capacity to enforce strict policies, DLP4Linux can prevent unauthorized data transfers or modifications, ensuring a solid defense against potential data leaks.
Data Loss Prevention Toolkit
The Data Loss Prevention Toolkit is a comprehensive set of tools designed to help organizations identify, monitor, and protect sensitive data from unauthorized access or exfiltration. This suite enables custom policy enforcement, ensuring only authorized individuals can access or transfer specific data types. The toolkit's strength lies in its versatility, being compatible with various system environments. It allows for deep content inspection, enabling precise identification of sensitive information in diverse file formats.
Security Control Validation (SCV) solutions provide an essential service in the cyber defense industry by continuously testing and validating the effectiveness of various security measures, including Data Loss Prevention (DLP) systems.
To illustrate this, let's take a closer look at a simulated scenario facilitated by an SCV solution like Picus.
Figure 1. Payment Card Industry Data Exfiltration Threat Simulation by Picus Security Control Validation Platform.
The simulated 'attack' involves uploading a document that contains data structured similarly to genuine Payment Card Industry (PCI) and Personally Identifiable Information (PII). This data is carefully crafted to closely resemble real sensitive information, enabling a realistic testing scenario. The file type used in this scenario (.ODT format) is a common document format that can be used in typical business operations, making the test even more authentic.
The file contains PCI data, such as full credit card information, and PII data that can identify specific individuals, including name, email address, fiscal code, birth date, physical address, phone number, credit card type, issuing bank, and BIN (Bank Identification Number). Although this data is synthetic or randomized, the structure mirrors real-world sensitive information.
For instance, the sample data for an individual in this test might look like this:
Name: ZAIRA CAMPANILE,
Fiscal Code: CMPZRA67H49C361Z,
Birth Date: 1967,
Address: NAPOLI VIA M.CATONE 2,
Phone Number: 0818181186,
Credit Card: 371771890526665,
Card Brand: AMERICAN EXPRESS,
Issuing Bank: AESEL - ITALY CONSUMER CHARGE,
Bank Identification Number (BIN): 371771
The aim of this 'attack' is to assess if the DLP system can accurately identify and trigger an alert when sensitive data structures and keywords, indicative of PCI and PII, are being exfiltrated. The DLP solution's ability to detect this attempt determines its effectiveness.
By conducting such realistic simulations, SCV tools help organizations ensure that their DLP systems are tuned correctly to prevent data leakage, providing a solid defense against potential real-world cyber attacks.