Anybody Have Any Data? Go Phish!

Anybody Have Any Data? Go Phish!

By Steve Gold
Posted in Security
On June 01, 2023

You can’t protect what you can’t see!

You can’t protect what you can’t see!

You can’t protect what you can’t see! 

Anybody seeing a theme here? Establishing a process to inventory where your data lives (on-premises storage, mail platforms, endpoints, mobile devices, cloud storage, cloud infrastructure, blah, blah, blah) is the first step in building a data management framework.

The second step is to establish labels for your data to understand what data you should protect and to what level you need to protect it. Labels can be as simple as “Sensitive,” “Confidential,” and “Public.” You can go even deeper by leveraging some COTS (commercial off-the-shelf) products that will go inside of each file, screenshot, image, etc., to pick out Social Security Numbers (SSN), credit card numbers, and other Personally Identifiable Information (PII).

An organization’s loss of control over protected or sensitive data is a serious and often reportable business impact. While some data is compromised or lost because of theft or espionage, the vast majority is lost as a result of poorly understood data management rules and user error.

The biggest challenge I’ve seen is the chaos created after a breach and data hits the dark web. Organizations scurry to identify what was inside those files to determine how to report it and to whom. Now that they know what files (filename.doc) were exfiltrated, they then must find all of the file locations and versions. Feel free to peek at your email inbox, sent items, and deleted items (along with all your archived storage files) and sort by attachments.

You can’t protect what you can’t see so establish and maintain a data inventory.

Here’s the CIS definition of this Control/Safeguard. If you want more detail, DM me.

CIS Control 3 – Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Implementation Group 1

CIS Safeguard 3.2 - Establish and Maintain a Data Inventory

Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.

Steve Gold

Steve Gold

Steve Gold is Gotham’s Cybersecurity Practice Director. During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies, including Dell and VMware. His expertise includes Cloud Computing, Channel Development, Territory Management, and Government Sales. For the past decade, Steve focused on helping State, Local, and Educational organizations secure their data and worked to assist them in implementing technology solutions that address their major business challenges.