Reports that targeted trojan malware is using data streams formatted as an Microsoft Windows update to communicate back to base highlights the need for a similarly automated approach to data governance.
The trojan attack – which has been analysed by colleagues over at Seculert and Zscaler – appears to have targeted a number of US government agencies and allied organisations.
This attack reportedly exploited a vulnerability in Adobe Reader to install a Remote Access Trojan (RAT). A PDF, disguised as a conference invitation, was sent to specific individuals via email. When the attachment was opened, the Trojan was installed on the victim’s workstations, allowing the attacker to control it clandestinely, apparently camouflaging its traffic and binary files to look like normal windows update behaviour.
It’s bad enough that data on the infected workstations is compromised. What’s worse is that by controlling a system inside the organization’s perimeter defences, the attackers often have wide, unmonitored access to network file shares, SharePoint sites, and mailboxes, and the scope of the breech expands exponentially. Sensitive data – usually stored all over the network – is up for grabs with no notice.
The data on file shares and other unstructured platforms has grown so quickly that organisations have been unable to keep up with basic access control tasks – users have access to far more data than they require, much of it is sensitive, and many folders and files are accessible to large numbers of employees. In most cases there is also no record of who is actually accessing data on these platforms, as this kind of auditing has been traditionally unavailable and/or unrealistic.
This is a data governance specialist’s worst nightmare: a compromised computer siphoning data from your valuable data stores, and an inability to detect data flowing from them – then a leak to an outside organisation.
Workstations are going to be compromised, and some employees will steal. The way to minimise the threat is to use automation to restrict what every user (and workstation) has access to, monitor and analyse all use, and alert on potential abuse.
And whether the data is structured or unstructured (the latter is far more difficult to track), an automated data governance system can restrict excessive access, audit all use, and alert on anomalous usage so a security professional can analyse what is happening.
Attackers will be not necessarily be stopped in their tracks, but automated data governance makes their job more arduous, and makes it far more difficult to evade detection. Using sophisticated data governance technology in this context acts as a safety net that prevents a data breach from occurring – even in the face of a successful malware infection within the organisation’s network perimeter.