When it comes to protecting personal healthcare information or a medical facility from cyberattacks or data breaches, the first step that must be taken is a thorough and exhaustive data assessment.
The data assessment will provide your organization with a complete understanding of:
- Who has access to the data?
- What types of sensitive information are stored?
- Where is the data stored?
- When was the data last modified?
Why? Because a cybersecurity team cannot be expected to protect something if it does not know it exists in the first place.
A data assessment can deliver the level of understanding that a cybersecurity practitioner needs to create a proper response plan in case of attack and make sure data is only accessible to those who need access.
The assessment cannot determine whether the people we find with access to a share should have that access. For the most part, we can tell an organization if the list of users we see with access to that share is appropriate based on how the organization has named the groups and the job titles of the individuals. We cannot say is if the members of these groups are appropriate because we don’t know these people or their roles. So, that’s something that the internal IT department must determine.
Therefore, the IT team should perform a quarterly review of access rights and group memberships.
Seeking Out Hidden Data
During this initial part of the journey, multiple paths can be taken to discover all the data hidden in an organization’s nooks and crannies.
The first avenue is to scan all the servers in the organization. The team can enumerate that list of servers from the organization's Active Directory, so the organization we are assessing does not have to supply any information. Or the organization can simply supply us with a list of the servers to be scanned.
At this point, the scanning utility will go through and scan all the shares on the server, including any hidden shares. The only requirement from our standpoint is that the organization must provide us with read-only access to the shares being scanned.
These scans can take a long time to complete, even working 24/7, depending upon the amount of data to be analyzed. Once the scanning process completes, the utility analyzes it for specific items or terms, such as PHI, PII, PCI, financial data, or potential General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA) issues. We can also search for items of interest to the organization, say, for a particular project.
While one might think that an organization would have a pretty good idea of what its servers contain, it's often the case that we find thousands of files outside of their approved locations. It’s also common to identify people without a business need having access to sensitive material, which needs to be corrected. It's also common to find sensitive items like login credentials stored in plain text on open documents like PowerPoint slides.
The fact that so much data is found in unexpected places means an organization might not comply with its own policies and local privacy regulations.
If the organization’s policy is that all healthcare-related data must be destroyed after six years, the IT staff must know where that data is to accomplish this task. Otherwise, the records could remain hidden for years exposing the organization not only to regulatory fines but the data could be compromised during a data breach.
It’s important for any potential client to know that a scan conducted as part of a data assessment does not look for malware or viruses. However, that does not mean the scan does not help improve an organization’s overall cybersecurity posture.
For example, suppose we discover that the entire organization has access to a particular share, and an attacker hits the organization with ransomware. In this case, this broad level of access will allow the malware to spread laterally with ease. However, if the share is limited to only those who require access, the malware will find it much more difficult to spread. So, by discovering and eliminating unnecessary access to a share, the organization can better lock down its data.
The other benefit to completing an assessment can be seen in a worst-case scenario when an attacker has gained entry and access to your data. Now that you know what data the attacker has accessed, you can properly respond. Without this knowledge, a targeted organization would be making decisions about how to respond in the dark, giving a tremendous advantage to the attacker.
For example, in many recent attacks, threat actors claim to have stolen records, credentials, and PII and threaten to make this information public if the victim does not pay the ransom. With an assessment in hand, you can verify what data might be in danger and respond properly to the attack.
Without a firm understanding of what you have inside your organization, it is difficult to assess the situation and make the best decision. Reach out to your Trustwave Account Manager to schedule a call with the Trustwave Cyber Advisory team to see if a Data Assessment Engagement is right for you.