Big Data Analytica – What Attackers might be after
A while ago the Cambridge Analytica issue rocked the news and the online discussions about how personal data and profiles should be used. Frankly the surprise of data being abused comes as a surprise. The terms and conditions of most online portals, services, and platforms contains lots of rights – which you give to the owner of the platform. Once something is concentrated, cached, and accessible to digital evaluation, it will be harvested for its content and context. It’s as simple as that. This has always been the case. Penetration testers (best case) select their targets based on this criterion (among others). What has all of this to do with information security? Well, information security, just as the social media platforms, just can’t do without analysing data. The difference is how to protect and transport it. Data collected by social media interaction is refined and can be accessed via API by selected parties, i.e. customers. Your infrastructure’s data based on security metrics and its refined versions of the data should not be accessible outside tightly controlled security zones. When’s the last time you have checked this? Are you sure that there isn’t some system talking to an API out there?
The glory of continuous integration and the DevOps hype have led to automated systems that have access to repositories, source code, databases, documents, and possibly production systems. Build systems such as Jenkins have a lot of access privileges. Configuration management tools need to access hosts in order to do their work. In turn they get their configuration from somewhere. Monitoring systems have access to data. The Cloud introduces lots of access tokens and secret keys that are distributed. Make sure your systems only do what they have to do, and that no one interferes with your set-up. Shodan is full of systems that act as a node, interfacing different systems with different access levels. These hosts should never be there. They were the topic of one of BSidesLondon 2018’s Rookie Track. The presentation yielded some scary findings.
So apart from the truth, your data might be out there. Smart attackers won’t tell you when they get access. They might mine your data quietly, create profiles, and then know what they need to know in order to strike. Just like social media platforms. 😀