We’ve all heard about the latest big vulnerabilities, end of life software or compromised passwords as the cause of breaches. However, another pattern is emerging for the financial and insurance sector according to the 2020 Verizon Data Breach Investigations Report (VDBIR) – Miscellaneous Errors.
The miscellaneous errors category doesn’t mean someone clicking on a link or attachment in a phishing email and it doesn’t mean they are trying to intentionally perpetrate a fraud scheme. It does mean there’s been a mistake in a common task, such as sending an email to the incorrect person, a misconfigured system, such as a firewall, or an error in coding. These were the breakout percentages in VDBIR (percentages approximate):
Misdelivery: 50%
Misconfiguration: 25%
Publishing Error: 5%
Programming Error: 5%
Disposal Error: 5%
Other 10%
Could this rise be due to cuts and absenteeism caused by COVID? The sudden changes required to allow remote work? It’s really difficult to say for sure, however this could be a time to look at your institution’s controls and close calls to make sure you don’t fall victim to this new beast.
- Use the data loss prevention controls available in email- The lessons from my experience all point to this truth: It’s best to keep sensitive data out of email- full stop. Instead, use portals to deliver sensitive data, for example Citrix Sharefile, to deliver sensitive documents. In this case, use your email client’s data loss prevention capability to detect sensitive data in email and attachments to alert and block these messages from being sent.
We all know, though, that life’s situations are not always ideal. If it must go through email, then use your email client’s ability to flag things, such as a banner stating that the recipients are external. Dial the settings as much as possible to limit data loss using business rules.
- Use the principle of least privilege- Mistakes happen, it’s human nature. However, we can limit the damage caused by following one of the basic principles in security: least privilege. This means assigning only those permissions needed by a user to do their job. An example of this is ensuring admin credentials are not used for day to day job functions, rather only when needed. This can be applied to lower level access as well, for example, if someone doesn’t need access to a shared drive folder, then they shouldn’t have it. This will prevent them from sharing documents from that folder by mistake.
- Use secondary reviews and segregation of duties to uncover errors- This principle is extremely common in financial services. We double count and sign off on cash balances, we require dual control to send wires, etc. Those high risk changes, such as firewall rules, and coding for applications with sensitive data should be no different. Have a second person double check before pressing go.
- Review configurations often- The best caught error is one that is discovered before it causes a problem. So, let’s peek at high risk system configurations occasionally and make sure that all is well. Say there was a temporary need to implement a firewall rule or open a port and this did not get closed when it should have, leaving your network exposed. This review is the perfect control to catch that miss and prevent a breach or the nightmare of ransomware. We recommend reviewing firewall rules quarterly for exactly this reason.
- Tests- If you have outsourced your IT function or are using a third party to code applications make sure they have these controls in place and require periodic testing and reports of the effectiveness of these controls. If these are internal controls, ensure they are tested as part of internal audits. Test configurations and coding with periodic vulnerability and penetration tests. All of these will point to errors and control breakdowns, which are best caught and fixed before it becomes a bigger monster.
If you need help implementing any of these controls to prevent an ‘error scare’ contact us at Support@bedelsecurity.com!