Trust is built with consistency, so the saying goes. Every day organizations operate using trusted software and platforms to run their operations, handle their most sensitive data, and execute critical business processes. As long as these mission critical systems are secured, all is well. But, what happens when one of them has critical vulnerabilities? When this occurs, organizations drop everything and scramble to correct or work around the exposure to get back to business as usual.
In December 2021, an incident just like this occurred with Log4j. Log4j is a relatively simple piece of open-source logging software widely utilized by organizations worldwide. Before the new year, an extremely critical vulnerability was discovered, allowing attackers to execute code without any authentication remotely. This left organizations exposed, and without appropriate data protection, their datastores can be an open book for attackers.
Log4j was not the first time-critical infrastructure found to be faulty and will not be the last. This article explores how organizations can protect themselves and their data even from faulty infrastructure.
Organizations incur risk simply by operating. Today, software or hardware with no known vulnerabilities is not guaranteed to be safe forever. There is always the possibility that a vulnerability will be discovered, causing your organization to scramble to patch the holes before attackers make use of it.
Log4j was not the first piece of critical software with unknown vulnerabilities. OpenSSL had the HeartBleed vulnerability, Trek TCP/IP stack had Ripple20, and Bash shell had ShellShock. All of which were critical pieces of infrastructure and considered safe and industry standard pieces of software.
One of the primary sources of vulnerabilities comes from the libraries used to design applications utilized in your organization. These libraries provide additional functionality to the code and save developers time in the development process. Many of these libraries are considered industry standards and “safe,” but that is never a guarantee of long-term safety; it is more of a point in time assessment.
Just because a vulnerability is identified does not mean your organization will catch it. Even with mechanisms in place to automatically scan and detect a vulnerability, 0-day vulnerabilities may not be identified by the scanner. You leave gaps in your protection until the scanner updates its definitions or unless the vulnerability makes enough waves to hit major news outlets. At that point, the attackers are also aware of the problem and will swing into action. Log4j led to millions of attacks worldwide, and it is still actively being attacked.
IoT and Other Risky Hardware
Risk can also come from hardware devices attached to or a part of the network. IoT devices provide functionality for everything from door card readers to environmental controls in an organization and are often directly connected to the network. These devices have a record of being exploitable, with 57% having known high or medium vulnerabilities. This is partly due to manufacturers with poor post-production support to patch and remediate vulnerabilities.
When devices with significant vulnerabilities are connected to your network, they are a tempting target for attackers. They target these devices to serve as staging grounds for more significant reconnaissance efforts and future attacks. These devices are often housed on the same trusted networks as other production equipment, allowing them a depth of visibility that is typically blocked by traditional security controls such as a firewall.
Protecting Your Organization From Your Infrastructure
As there is always a risk of attack from infrastructure vulnerabilities, organizations need to find other methods of protecting themselves, rather than relying on traditional firewall perimeters to be sufficient to keep the bad guys out. With insider threats estimated to account for 33% of all breaches in 2021, organizations should assume that the bad guys are already in the door.
Rather than focusing on ways to keep the attackers out of the infrastructure, companies should instead focus on protecting their target – data.
Start With the Data
Taking a data-first approach to security helps to place the security controls where they belong, at the data level. A data-centric approach to security takes a broad approach, and pairs controls that integrate and work together to protect the data.
These controls often limit access to the data and monitor how the data is utilized. Access management controls limit who can access or alter the data. This pairs with data encryption that keeps the data in an unreadable state so that only authorized users with the key can view the data. All of this is topped off with anomaly detection to identify when a misuse or inappropriate attempt to access the data occurs. This helps to limit the impact of anyone with stolen credentials or malicious insiders attempting to steal data.
As each of these controls interconnects, they also provide a layered approach to protection. Rather than relying on a single control that attackers could compromise, they weave in layers of similar functionality to create redundancy. Through this redundancy, the data remains secure even if a portion of the overall security or infrastructure is compromised.
Field-level encryption in a database is a prime example of how layering makes it harder for attackers. When field-level encryption is in use, even if an attacker can steal an entire copy of the database, the critical fields are still entirely inaccessible to them without the key. Alternatively, if the attackers could use an attack such as SQL injection to pull data from the database remotely, the protected fields would still be inaccessible if the credentials they were using were not granted access to read the fields.
Protect Your Data First
When critical infrastructure fails, such as with Log4j, many organizations are left vulnerable because their security approach does not focus on their data. By relying on strong perimeters to keep attackers out, they were vulnerable when these perimeters were circumvented. With a data-centric approach, even if the attackers get into the infrastructure, they still have many barriers to cross before accessing the data.
Sotero is a leader in providing data-centric security for organizations. Their platform takes a holistic approach to data protection, applying multiple layers of controls. Going beyond basic encryption, Sotero weaves in access controls to streamline management. Sotero’s behavioral monitoring keeps track of your resources and helps to identify when they are being misused, catching attacks early. Interested in learning more about our revolutionary technology? Click here to speak with one of our data security experts.