EMBEDDED DATA, THE HIDDEN THREAT
INSIDE OFF-NETWORK AND END-OF-LIFE DEVICE
Executive Summary
Organizations spend most of their IT security budgets on devices that are on-network and protected by firewall technologies; however, over 70% of data breach events come from off-network devices. This indicates that there is a huge disconnect between perceived and actual threats to data security. Exacerbating this problem is the fact that many companies have no visibility into the root cause of a cyber-attack.
45% of organizations have no way of knowing what the root cause of an attack was
A study released by the Ponemon Institute reported that 45% of organizations have no way of knowing what the root cause of an attack was. Historically, organizations focus most of their attention regarding off-network data security on securing the hard drive. They focus the data eradication and erasure tools, encryption, tracking, reporting, and the security services available on securing the hard drive because that is where the data resides. Distributed intelligence has created a world where devices have embedded data i.e., not necessarily on a hard drive, with the potential to cripple any business. Historically, if a hard drive was lost or stolen, damage could, for the most part, be compartmentalized and managed. However, embedded data can allow access to your organization’s network and in the wrong hands, has the potential to inflict damage on a business in new and very dangerous ways, financially and reputationally.
Although the data security measures undertaken by companies and the number of data security laws on the books are increasing, Embedded Data, the Hidden Threat inside Off-Network and End-of-Life Device Over 70% of data breach events come from off-network devices. BrassValley.com 2 we still encounter shocking gaps in data security simply because of lack of knowledge.
We want to help educate on the potential exposure from some of the hidden dangers.
At Brass Valley, we want to help educate our customers and the public at large on the potential exposure from some of the hidden dangers. The purpose of this whitepaper is to give you examples of embedded data, so you know where it may reside in your environment, and share with you some of the data security gaps we found in looking at devices from companies across the U.S.
CONCERNS ABOUT
EMBEDDED DATA
Distributed Intelligence is the Driving Force Behind Embedded Data
Everything is getting smarter, which is great! Smartphones, cars, industrial sensors, smart PDU’s, HVAC systems, household appliances, medical equipment, and much more are now connected to the internet 24 hours a day, seven days a week, enabling intercommunication between our devices to make our lives easier.
This is the Internet of EVERYTHING that we hear about on a daily basis! However, it also puts the organization and clients potentially at risk.
This constant interconnectedness also means that data from all these devices is constantly being collected, stored, and monitored, which is where the danger lies. If the organization does not properly manage, protect, and destroy this data when they decommission these devices, there is a huge opportunity for unauthorized access to the organization and clients’ sensitive information.
Why Security Experts are Concerned about Embedded Data
In July 2014, at the “The Future of Warfare” at the Aspen Security Forum, Dawn Meyerriecks, the Deputy Director of the CIA’s Directorate of Science and Technology cited concerns about the looming geo-security threats posed by the Internet of Things, i.e. the embedding of computers, sensors, and Internet capabilities into more and more physical objects: “Smart refrigerators have been used in distributed denial of service attacks.
Last year at least one smart fridge played a role in a massive spam attack, involving more than 100,000 internet connected devices and more than 750,000 spam emails. Even smart florescent LEDs that are communicating their need to be replaced are also being hijacked for other things.”
CLIENT
CASE STUDIES
Embedded Data, an Entry Point for a Data Breach
We see examples of companies overlooking hidden data almost on a weekly basis.
Some recent examples include:
A client asked us to help them remarket their old phone system, which was comprised of a few hundred phones and a few controller units. When we discussed data security, the client told us the devices were free of any data; that someone had come in and erased all their hard drives. When we brought the equipment into our facility for processing and remarketing, as a normal part of the process, we test all items designated for refurbishment and resale.
During the test procedure, we found the phones contained IP addresses, passwords, and voicemails, all contained as embedded data.
An example of embedded data showing up somewhere unexpected with the possibility of major negative consequences happened at a well-known box store. They had sent us all their inventory scanners for disposal. They insisted further data security services were not applicable because some other firm shredded their hard drives. Unfortunately, they were a victim of not addressing the embedded data! We found wireless cards in each scanner with complete login credentials to the wireless network of the client. What a find for a nefarious individual attempting to get into their network!
Most of the times when we present embedded data concepts, people naturally tend to think of devices outside the data center. Locating embedded data within the data center is not intuitive and this can be dangerous because data center equipment can contain some of the most devastating forms of information if it falls into the wrong hands.
A good example of this occurred with a client that was refreshing their switches and we were called in to provide a trade-in value. We asked if part of the buy price would include proper erasure of the devices.
The client thought for a minute and said, “I’m not sure.”
We talked further and discovered that he had no idea which switches had media in them and which ones did not. Because he was not aware of it, and he did not track it, he was not sure what devices needed data security processing. This realization made him think about the possible wide-open exposure his company had from previously decommissioned switches that he did not erase properly.
A large financial client was replacing and reselling their multifunction fax machines. They insisted that they flushed the memory buffers and everything was gone. Two months later, the manufacturer showed up at their door looking to fix a fax machine that was dialing home for repairs. The client did not realize there was more than one memory buffer and that it had a call home feature in it and one of the remarketed fax machines used it in its moment of distress. Now the company is distressed!
These are just a few examples of how easily embedded data can slip through traditional decommissioning processes. Some constitute a total breach. Some provide data like IP addresses and passwords that are the point of entry for a data breach. Now you may be asking, how can I be proactive in protecting my company from an embedded media breach?