Preventing Data Breaches / Data leaks (TLP: WHITE)
Original Issue Date: January 20, 2021
Updated: November 23, 2022
Severity Rating: High
It has been observed that incidents of data breach and data leaks affecting Indian organisations are on the rise. In cases of data breaches, the main targets of attackers are businesses, financial institutions, healthcare sector, e-commerce, and startups. The kind of information usually targeted is data that can identify particular individuals such as email, mobile no, medical reports etc., organisation's trade secrets and/or intellectual property (IP).
Attackers are using a variety of techniques to overcome the security systems of their targeted businesses in order to steal private data. They try to target public-facing/ external systems of businesses to ultimately gain access to the internal networks, servers and databases.
Another trend which has been observed is that attackers are exfiltrating data and then deploying ransomware to encrypt the data they have stolen. In such incidents, attackers also threaten to release the stolen data in public domain, if the ransom is not paid.
I. Common causes of Data breach / Data leak
The common causes of such incidents are as follows:
Poorly configured network devices can inadvertently allow traffic that would otherwise have been blocked, while incorrect file permissions on a server could expose vital data to risk. It is also possible to send data accidentally to any wrong person, misconfigured servers and careless uploads to public folders, directory listing can also lead to data breach or leakage.
Database applications with default settings, without appropriate authentication, authorization control can lead to data breach/leak incidents. Sensitive data from publicly exposed open dashboards, web pages may get crawled and indexed by internet search engines. Data scraping may also happen by Bots with automated methods.
Application vulnerabilities are system flaws or weaknesses in applications that could be exploited by threat actors to compromise the security and integrity of the application.
Commonly exploited vulnerabilities which could cause data breaches/leaks include Insecure Direct Object Reference (IDOR), SQL injection, Insecure API endpoints, Directory listing.
Most insider misuse happens through misinformed / uninformed staff and disgruntled /compromised users. Although most data breaches are facilitated by external malicious actors, it is still the case that insiders with or without privileged access are playing a key role in data breaches. People make mistakes and their minor mistakes could lead to a big loss to the business. Confidential information may get distributed without using any data prevention techniques.
Developers/programmers may accidentally commit/push source code embedded with secrets like passwords/keys/tokens/certificates to public repositories of GitHub, GitLab and Bitbucket etc. This may lead to unauthorized access to critical applications and may cause severe data breaches.
Weak/ Default/ Stolen Credentials
Stolen or default credentials are one of the easiest ways attackers get access to systems, enabling them to gain access to sensitive content and resources. Also poorly configured VPN and Work from Home methods result in compromise of legitimate accounts and allow further misuse.
Further data breaches/leaks may happen due to compromise of third-party vendor or business partners
II. Best practices to prevent data breaches:
i. Organisations are advised to prepare detailed incident response plan and define roles and responsibilities of Chief Information Security Officer (CISO) and other senior personnel. Reporting and compliance requirements shall be clearly specified in the security policy. In addition, share the details of CISO with CERT-In through Email (info AT cert-in.org.in)
ii. Apply appropriate authentication and authorization controls for database applications
iii. Audit and patch the vulnerable applications on priority
iv. Consider employing hybrid data security tools that focus on operating in a shared responsibility model for cloud-based environments.
v. People have always been the weakest link in the cybersecurity chain. Provide training to employees to avoid clicking on a link in a spear-phishing email, reusing their personal password on a work account, mixing personal with work email and/or work documents, or allowing someone they shouldn't to use their corporate device- especially in Work from Home environments.
vi. Establish and maintain an incident response team and evaluate incident response plans frequently.
vii. Identify and classify sensitive/personal data and apply measures for encrypting such data in transit and at rest. Deploy data loss prevention (DLP) solutions / processes.
viii. Deploy detection and alerting tools and create process to prevent, contain and respond to a data breach/ data leak.
ix. Develop and maintain strong policies enforcing strong passwords (password management) and the use of multi-factor authentication (MFA). MFA adds additional layer of security and reduces the risk of perpetrator using stolen credentials to move an attack further.
x. Always keep up-to-date operating systems and other application software because attackers identify the bugs in old versions and use them to attack.
xi. Consider using models that take the "least privilege" approach to provide security for both on-and off-premises resources (i.e. zero-trust models).
Zero Trust is rooted in the principle of "trust nothing, verify everything." This security model requires strict identity verification for each and every resource and device attempting to get access to any information on a private network, regardless of where they are situated, within or outside of a network perimeter.
xii. Micro-segmentation helps contain the movement by giving organizations increased control over lateral communication that occurs between resources.
Furthermore, in the event of a breach, micro-segmentation serves to limit the possible lateral exploration of networks by bad actors.
xiii. Enforce BYOD security policies, like requiring all devices to use a business-grade VPN service and antivirus protection.
xiv. Create policies and plans for engaging with governance, risk management and compliance teams.
xv. Evolve and implement a Data Backup policy. All the business-critical data should be backed up regularly to prevent data loss and to ensure faster recovery from data breach.
xvi. For web content, use anti-crawling and anti-scraping techniques as appropriate.
xvii. Conduct third party risk assessment.
xviii. Continuously monitor the IT assets and setup alerts for detecting:
III. Best Practices while using cloud services:
- Failed /unusual Login Attempts
- Unusual Traffic Volumes
- Configuration changes
Data breach/data leak incidents are increasing due to compromised or mis-configured cloud-based instances. Best practices for preventing such incidents while using cloud instances such as AWS S3, Azure Blob, Google cloud storage are given below:
i. Check public accessibility of all cloud instances in use. Make sure that no server/bucket is inadvertently leaking data due to inappropriate configurations.
ii. Ensure proper security of AWS/Azure/GCP access tokens. The tokens should not be exposed publicly in website source code, any configuration files etc.
iii. Implement appropriate security measures for testing, staging and backup environments hosted on AWS/Azure/GCP. Ensure that production environment is kept properly segregated from these. Disable/remove older or testing environments if their usage is no longer required.
iv. Ensure encryption of data at rest and in transit
v. Implement least privilege principle for access control with granular permission to cloud resources
vi. It must be noted that cloud service providers follow a model wherein a number of security aspects are customer's responsibility. It is advised to be thoroughly aware of these and implement appropriate security policies and controls.
Following is the list of resources which may be diligently studied and suggested measures may be implemented as appropriate to infrastructure and environment.
IV. Best practices while using MongoDB and Elasticsearch servers:
- Introduction to AWS Security whitepaper
- Amazon S3 Security
- AWS Security documentation
- Azure Blob storage security
- Azure Security documentation
- Google Cloud security best practices
It has been observed that data breach/leakage incidents have involved MongoDB and Elasticsearch instances also. Major factor in all such incidents has been observed to be a lack of appropriate authentication mechanism and proper security measures allowing unauthenticated remote attackers to access and manipulate the databases.
Best practices for securing MongoDB:
i. Enable Role-based access control to enforce authentication and require users to identify themselves.
ii. Use TLS/SSL for all incoming and outgoing connections including communication between internal components of MongoDB as well as between applications and MongoDB.
iii. Encrypt the MongoDB data stored in the storage layer and use appropriate file system permissions to restrict access to the data.
iv. Use firewalls to minimize overall exposure and ensure that only traffic from trusted sources can reach the system running MongoDB and that MongoDB can only connect to trusted outputs.
Best practices for securing ELK stack instance:
i. Use a reverse proxy software such as nginx or mod_proxy (for Apache HTTP server) to restrict direct access to the ELK components and configure it properly to have Role-based access control.
ii. Change the default ports of Elasticsearch, Logstash and Kibana on which connections are made.
iii. Use firewalls to restrict connections to the system running the ELK stack. Please refer CERT-In advisory CIAD-2019-0017 "Securing MongoDB and ELK stack instances" for detailed account of best practices.
V. Steps to be taken when organisation/entity is affected by a data breach/data leak:
i. Disconnect the compromised system from the internet, but don't turn it off. Turning of the system could result in loss of crucial evidences which would be needed for the analysis and investigation of the incident.
ii. Ensure all credentials in an organization, including service accounts, are reset and that default passwords or those similar to previous passwords are not used.
iii. Mitigate any vulnerabilities that were exploited
iv. Report the data breach/ data leak to CERT-In Incident Response Help Desk immediately. (email: incident AT cert-in.org.in , see Contact us page for details)
v. Notify users/customers who could be affected immediately with details of information breached; actions being undertaken to address the problem and how they can reach back for any queries. The notification should also include detailed guidance on protective/remedial measures to be taken by the impacted users/customers.
VI. Best practices for individual users to safeguard against data breaches
i. Use strong and unique passwords for all the online accounts. Use a password manager software. Use different passwords for different online accounts.
ii. Enable two-factor authentication wherever available.
iii. Regularly update all the software on computers, smartphones and other devices. Install a reputed anti-virus solution on systems, keep it updated and configure it to run scans periodically.
iv. Be wary of clicking links received in unsolicited SMS messages or emails. Do not open email attachments from unknown senders. Limit sharing personal information on public online forums.
v. While making online payments, ensure that the merchant website as well as the payment gateway websites are running on HTTPS and have a valid certificate (usually shown as a "green lock" symbol near the address bar in most browsers).
vi. Do not share personal information, OTPs etc. over phone calls purporting to come from customer service, bank etc. Refuse to install any apps on smartphone / computer if asked to do so by an unknown person over phone call or in person.
vii. Refer to website https://www.csk.gov.in for security best practices and free bot removal tools for computers and mobile devices.
The information provided herein is on "as is" basis, without warranty of any kind.
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003