The British software company Sage suffered a breach according to multiple reports that can be found here, as well as here (and probably more). The breach resulted in the exposure of sensitive employee data of 200-300 companies working with the Sage product.
“We believe there has been some unauthorized access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation,” the company said in a statement on its UK homepage.
If they could have spotted the abnormal data accessed, and prevent the access to the excess data – we would have probably never heard of this case, and Sage could continue with their business uninterruptedly.
Access on a “need to know” basis
One of the reports claims: “…The company did not specify whether the ‘unauthorised access’ of information, which was reportedly accessed sometime over the past few weeks, was stolen or just viewed.”
At this point I want to stop and ask – is there a difference? Lets park it for now, we’ll get to it later in this post.
Analyzing what probably had happened, it seems that Sage broke the basic data security rule – “Access on a need to know basis: people need access to information they need to do their job, not more, not less” (no way is it possible that a single employee needs so much information in such a short period of time), and unfortunately they are probably not different than 99% of companies with sensitive data stored in their servers.
If I had to guess, I’d say they even looked into enforcing some data access policies at some point in the past, yet the cost of rewriting their enterprise applications weighed in too much compared to the potential risk. Somebody at Sage should have probably learned more about the “Morgan Stanley” case.
So we have two questions here:
- Should every company be shifting resources now, to look at enforcing the “Access to the level and amount of sensitive information you need to do your job” policy?
- Is there ultimately a difference between viewed or stolen information?
Organizations can’t really re-do their entire enterprise applications to address all required security gaps (including enforcing of controls, audit of access to permissible data, etc.) – it makes no business sense. They should instead focus on a cost-effective solution that would minimize risk without changing their entire enterprise application infrastructure.
As for the second question, I want to claim that viewed information, in certain circumstances, can be deemed stolen – here’s why:
- DLP solutions deployed in many organizations block the option to use traditional ways of exporting or printing certain data. So hackers and malicious insiders have to find other ways – which brings us to the next point.
- Once viewed, there are multiple ways in which it can be stolen without anyone knowing (PrtSc, Screen-Scraping, Mobile phone camera), and with leaving no trace.
This means that in order to properly protect sensitive data, a shift in approach is critical – protecting the data at it’s core and preventing data loss when it’s viewed.
There are many ways to achieve this; either through enforcing centralized role-based access policies, flag data access anomalies with full contextual awareness or dynamically alter information presented to users to keep the data safe.
Regardless of the method chosen or the solution applied, if we don’t see companies shifting more attention to their high risk applications data protection – we will keep on hearing about similar cases, probably more frequently, and with greater impact.
[su_box title=”About Elad Koren” style=”noise” box_color=”#336588″][short_info id=’85753′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.