Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

The Digital Ship is Full of Leaks. But There Are Ways to Keep it Afloat.

Years ago, while anchoring the CBS Evening News during an on-air mishap, Dan Rather made an offhand remark, observing that “To err is human.  But to really screw up, you need a computer.” 

Years ago, while anchoring the CBS Evening News during an on-air mishap, Dan Rather made an offhand remark, observing that “To err is human.  But to really screw up, you need a computer.” 

His observation was, to be sure, somewhat facetious, although the power of digital technology to amplify small mistakes and oversights into massive ones is real. But its underlying truth is undeniable: today’s technology, particularly at a time of wholesale digital transformation, has expanded the threat surface exponentially, and it keeps expanding all the time, frequently exceeding the bandwidth of human operators to triage which threats are more critical. And what can appear as a ‘threat’; might be a false positive or negative, meaning a ‘fix’ just ends up blocking everything else. 

Managing the functions of IT systematically is a huge challenge, and it has been made even more difficult by the accelerated pace of software development and delivery, a la DevOps.  Not surprisingly, the combined effects of speed and complexity erode security practices, increasing the likelihood of sensitive information such as data, code, and credentials becoming exposed online. According to research conducted by Google (PDF), elite performing organizations typically deploy software updates to their end-users many times a day. That’s a lot of opportunity for error.

One of the biggest risks to organizations is from the teams of developers – both internal and external working on their IT projects. Research from the North Carolina State University (PDF) found that leaks of digital secrets – passwords, cryptographic keys, API, and access credentials to more than 100,000 private code repositories – take place on development platforms such as GitHub thousands of times a day. A prime example of this is Uber’s 2016 breach, which occurred when hackers discovered that the company’s developers had published code that included their usernames and passwords on a private Github account. Beyond that, employees can inadvertently commit sensitive technical data to public repositories too. This includes proprietary code, internal network details, and live code, and is particularly rampant when there are no clear internal security policies or guidance on what should or shouldn’t be shared. 

What it amounts to is this: while there is a significant amount of cybercrime, and countless individuals and groups who maliciously attack the data of companies and institutions, their dirty work is often enabled by inadvertent errors of honest employees who are rushed to deliver software updates in an increasingly complex digital environment. And the opportunities for accidental exposure of sensitive information, while abundant, are often compounded by multiple stakeholders working together online using collaborative tools without the proper policies, oversight and security training. 

At the same time, though, there are some reasonable and inexpensive steps an organization can take to minimize the threat of exposure. For example, monitoring for misplaced technical assets can be done either by a specialized contractor or using free, open-source tools such as Git Hound or TruffleHog, which search for and can help prevent data leakage.  Also, when using software collaboration tools like GitHub or GitLab, it is essential to make sure security protocols are set to prevent activity from being posted publicly.  

Automating the process to rapidly identify and remediate risks related to unwanted code exposure is another option with specialty services available from a number of providers in a rapidly growing market. And finally, there’s employee education and training. Many unintended leaks take place because an individual may not have been versed in company policy about securing technical data. Initial training and periodic refresher sessions can be a huge help in increasing awareness of potential leaks and preventing major new screw ups.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...