Anatomy of a data breach part 2

In this second part I am going to talk about utilizing different methods of protecting sensitive data-at-rest by using system hardening. The overall goal is to obviously implement an effective strategy to reduce the potential of a data breach (keeping in mind it’s all about best efforts when meeting compliancy). First of all we have to understand how a data breach is conducted and what methods are used to access internal protected information.

The purpose behind such an attack is to expose or alter information of value to the hacker such as patient information, financial records, proprietary company data, etc that can be used to gain profit. Because attacks are often targeted and slip by existing anti-virus defenses, the hacker will know a great deal about the web platform and the current security mechanisms behind it before launching his assault.

There are several ways of attacking these applications and getting access to the data:

  1. SQL injection attack (this attack can range from simple insertion of a script to completely taking over the server).
  2. Code injection attack
  3. Planting malware on servers
  4. Exploiting zero-day vulnerabilities in Apache or Internet Information Services (IIS)

It’s important to monitor and protect sensitive information on servers. According to official sources the TJX Max breach began with hackers compromising a wireless network at a Marshall’s store and gaining access to servers at corporate HQ. Because the hacker had gained administrative access he was capable of FTPing credit card information outside the environment and inserting custom written malware to intercept transactions in real-time.

For the purpose of this article we will look at how one can enforce additional security (on specific files that we don’t want leaving a specific server) using the built in security policies within TruPrevent technologies. In the example shown below I created a file access control rule preventing the piece of information from being altered, copied and in this case read to other systems (including external systems).

Figure # 1 Shows the directory we are protecting


 Figure # 2 We attempt to move the protected information to another server or an external FTP site (like in the TJX Max breach)


Figure # 3 We now get an error from Windows and a pop-up from TruPrevent indicating the action can’t be performed



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: