Preventing a Twitch or Sony Level Hack

Nothing is 100%, but there is a lot you can do to prevent and/or reduce the impact of a data leak.

The latest victim of a massive data breach was Twitch. It’s got lots of executives concerned about the security of their systems. It’s a bit remnant of the Sony hack a number of years ago.

Although many companies spend a lot time ensuring their customer data is secured, and rightly so, there is little attention paid to corporate security. Corporate security refers to internal corporate data that keeps the company moving along. 

Let me outline some of examples of corporate data:

  • Emails, like all emails like password resets, casual conversations, and on

  • Slack DMs and Teams Conversations

  • Performance Reviews

  • Salary and compensation information (including executive compensation)

  • Cap Table

    Financial Information such as

    • Vendor contracts

    • Fees for consultants

    • Customer financials (like Twitch user earnings for example)

What’s the riskiest item here for your company? In other words, if the WORLD knew a piece of information above, what would be the most impactful?

  • Does your company have a loose policy on how it speaks about customers and clients? Or even each other? Then email and slack could be your biggest concern.

  • Would a leak in vendor and client fees hurt your competitive advantage or negotiating capabilities for future deals?

    Share Last Week As A vCISO

Data Loss Protection Controls for a Twitch Hack

I’m going to list (almost) every possible control one can do to help prevent or lower the risk of such an attack. Nothing is foolproof and there is no silver bullet. If you’ve been reading this for awhile, you’ll know that defense in depth is everything.

There Is No Spoon - No Data, No Problem

If the data is not there, then it can’t ever leak can it?

Do you have every single email and slack message ever sent? Are there conversations that could impact your company negatively?

Guidelines and Controls

  • Have a policy and provide training around good communication principles. Ask everyone to assume everything typed can be leaked, screenshot, or forwarded.

  • Consider lowering your retention policies on email and slack. You will need to find the fine line of convenience vs security

    • You’d be surprised what’s in slack sometimes. I once found an open channel by an old employee with tons of API keys in chat.

Data Leak Prevention - Built In Tools

Your existing SaaS tools have a lot of built-in controls to prevent data from leaving your organization. You’d be surprised how easy it is to share information externally.

 

Here are some examples of scenarios I’ve run into in the past:

  • Users sharing documents and folders with the world or personal user accounts (intentional or not)

  • Users using 3rd party email clients, especially startups, that retain all company email (An email hack/leak can happen from anywhere!)

  • Users forwarding emails to their personal emails

  • Users sharing calendars with the world (Imagine how much information is in an EA’s calendar)

  • Admin tools provide employees access to tons of client information and permissions allowing people to view data or make deletions

Here is a list of possible controls and guidelines:

  • Prevent users or groups from sharing information externally (drive, calendar, etc)

  • Prevent users from forwarding company emails to their personal email

  • Disable IMAP and POP

  • Disable “Less secure apps” in Google Workspaces

  • Enable logging of sharing actions

  • Conduct an access review of users quarterly (make this a group effort to prevent too much load on one group)

  • Limit access to sensitive data to only users that require it for their role. Create roles appropriate to the employee role.

    • Does CS really need all those permissions?

    Share

Data Leak Prevention - Advanced Protection Tools & Methods

Sometimes to truly track your company data, you might want to employ additional controls.

That could involve:

  • Using DLP controls built into your software

  • Obtaining DLP specific software designed to track data from all corporate sources

  • Limiting access to some or all corporate data from company authorized and managed devices only

Conclusion

As you can see the rabbit is pretty deep. Yes, there is lot of data out there, but managing the risk of that data being exposed involves a few factors:

  • The type of data you are holding

  • Culture of your company

  • Stage of your company (are you trying just to survive or are you #1 and not trying to get knocked off that pedestal?)

  • Balance between convenience and security

  • Past incidents and precedent

Hopefully this helps paint a more holistic picture next time you wonder, could this happen to me?

Share Last Week As A vCISO

Thanks,

Ayman

Leave a comment