exonar discovery sample

Page ! of ! 1 10!

Copyright © 2016, Exonar Limited. All rights reserved

INFORMATION

DISCOVERY

REPORT

(SAMPLE)


Executive Overview

Exonar were contracted to carry out a discovery exercise on the unstructured data stored by Acme Plc. The scope provided for indexing some accessible File shares within the organisation. This restricted

The motivation for the Discovery exercise was to respond to the problem ‘We don’t know what we’ve got in our unstructured data’, answering this statement is critical to improving cyber-security, as mandated by the company’s risk register. The hypothesis is that there may be sensitive information stored without adequate protection and that there were likely to be significant duplicate and obsolete files in the existing environment.

The discovery exercise shows that there is a large quantity of unencrypted high risk information such as passwords (figure 13) and clients’ confidential data (figure 20) throughout the network and not limited to any particular file share. A cyberattack resulting in access to file shares, through a user’s laptop or via the VPN, or an insider with modest permissions to information storage would result in the attacker gaining access to sufficient information to render considerable damage to the ongoing business operations of Acme Plc, as well as affording significant access and control over Acme’s systems, and insight into commercial models and sensitive business information.

It is difficult for an organisation of Acme’s scale, without the tools and processes to control the storage and security of either sensitive or redundant information, to understand or mitigate against this type of risk. It is common for these processes and tools to be in their infancy within commercial companies, whether or not security is a primary driver for business continuity and integrity.

However, Acme clearly take a proactive, measured approach to managing such risks. The published risk register includes both business continuity and cyber security as key issues.

There is a significant opportunity for Acme to reduce the quantity of unstructured information held within network shares without adversely impacting users. As well as providing cost savings for network storage and significantly reducing a large risk, reducing the redundant, obsolete and trivial information will enable users to more easily locate the information they need to be productive.

Page ! of ! 2 10!


High Level Findings

Duplicate and Obsolete Information

The information held within Acme’s infrastructure contains extensive duplication (42.1% by size, 38.6% by file count) as well as large numbers of files that have not been modified in over 7 years (20.3% by size, 20.1% by file count).

Passwords

During the discovery exercise we identified 2,341 files containing potential password information. Inevitably there are some false positives however manual sampling indicates that a good proportion do indeed contain passwords to systems, email accounts, online banking systems and internal systems.

Sensitive and Personally Identifying Information

The contents of the files stored contains many forms of sensitive and personally identifying information (SPI & PII) in large volume. This information includes, but is not limited to salary, personal details, National Insurance numbers and criminal record information. Such information could easily be used to assume an individual’s identity and is particularly problematic when occurring it large lists in unprotected documents. It would be usual to expect this information to be stored within specific areas, such as those only accessible to the HR department. However, we found strong evidence that this information is stored throughout the network without adequate precautions to restrict accessibility 62% of information containing PII was discovered outside of the HR file shares, totalling 15,770 files.

Credit Cards

We discovered credit card information being stored in a number of documents. This information appeared to be both corporate credit and personal credit card information. In many cases the card information contained the name of the cardholder, the expiry date and the CVV code and should be stored only in an encrypted or tokenised format. A total of 213 files were found containing a total of 411 credit card numbers. In many cases the credit card numbers were recorded alongside expiry date and security codes.

Document Classification

Acme have not yet implemented the document classification policy. Despite this there was evidence of some documents having a protective marking, however in general information is not being protected based on the classification. There are a number of locations where sensitive corporate information is being stored. Some of this information looked to be stored in more open locations. The phrases used to indicate sensitive information where ‘Private’ (4,576 files), Personal and Confidential (95 files), Privileged and Confidential (1,940 files), ‘Private and Confidential’ (57 files). There was significant evidence of documents containing sensitive corporate information that did not include any indication to the use that it should be protected or that distribution should be in any way limited. Several contracts referenced that sensitive information should be protected with ‘Secret and Confidential’ however there was no evidence of this marking being applied to information.

Page ! of ! 3 10!


About Exonar

Exonar discovers what enterprise information is critically important, where it is located and who has access to it.

Without these insights adequate information security, regulatory compliance and knowledge management are impossible.

Using an enterprise scale big data architecture and machine learning technology to power real-time data classification and document search, Exonar understands the intent and characteristics of information, and enables it to be discovered, understood and acted on.

Government agencies, medium and large enterprises and consulting firms trust Exonar for projects focused on Cyber Security, Data Privacy and Cloud Migration.

Information IntelligenceTM is the process of discovering and understanding the information in our companies and acting on that understanding

The Exonar platform enables this process Figure 2

Results

The Data Discovery exercise included a total of 8.16TB and 10,228,552 documents.

The file shares within the scope of this discovery exercise can be found in Appendix A.

Data provided by ACME detailed a total of 2900 users.

Page ! of ! 4 10!


File Duplication

Duplicated File information is shown across the file shares included in the Exonar Discovery Process (see Appendix A). The duplication is based on exact duplicate files or content. We do not consider files with zero bytes (no content) to be duplicates.

Total Duplicated Files

Duplication by Filetype

Page ! of ! 5 10!


TOTAL DUPLICATED FILES BY SIZE

7.12TB6.20TB

Duplicated (47%)Not Duplicated (53%)

TOTAL DUPLICATED FILES BY COUNT

2,667,2911,946,641

Duplicated (42%)Not Duplicated (58%)

GB

of D

uplic

ates

0

1250

2500

3750

5000

Audio Document Images PDF Spreadsheet Web

38.92GB

3,394GB3,570GB

2,450GB

4,460GB

480.74GB267.33GB

1.54GB

871.77GB

419.62GB

22.37GB

Duplication Amount

File Age

File age is based on the date the file was last modified by a user or system. Documents older than 7 years occupy 769GB or 11% of the total storage.

Page ! of ! 6 10!


GB

of D

uplic

ates

0

3

6

9

12

1-3 4-10 11-20 21-50 51+

0.01GB0.04GB0.424GB

0.974GB

11.5GB

Num

ber o

f file

s (T

hous

ands

)

0

400

800

1200

1600

0-6 Mth 6-12 Mth 1-3 Yr 3-7 Yr 7+ Yr

1,467

1,328

920

382368

File Size Information

Large files account for a significant proportion of the file estate within Acme. For example, the 631 files over 100MB occupy 925GB of disk space, 13% of the total storage.

Temporary Files, Autosaves and Bak files

43,058 or 22.10GB of files were found with the extension .bak or .tmp or with the filename prefixed with “$” indicating that they are temporary found within the Discovery process, equating to 2% of the total size of all files.

Of the files sampled within the Discovery process, a significant proportion of these included PII and sensitive information.

Page ! of ! 7 10!


Num

ber o

f file

s (T

hous

ands

)

0

1000

2000

3000

4000

0-10KB 10-100KB 100KB-1MB 1MB-10MB 10MB-100MB 100MB+

0.777

909

2,022

3,432

2,533

will "Go Live" on the upgraded system as part of Project XXX on Monday, October 25th, 2004. Please refer to the log on instructions below to access beginning October 25th, 2004. We recommend you print these instructions to refer to as you log on to the upgraded system for the first time.

Your User Name is: XXXXXXXX

Your Password is: XXXXXXXX

Sensitive Information

Files containing passwords

2,557 files were found that were likely to contain password information pertaining to individual users, IT servers and third party systems.

Of the 2,557 files found that contain password information, 55 (2%) of these have a filename with password, or derivatives of.

Page ! of ! 8 10!


--------------------------------

-----Shared Services------------

--------------------------------

******Start of Info********

Host name: USCCIPXXXX

Port: 58080

username: admin

password: XXXXXXXXXX

User mgmt console URL: http://USCCIPXXXX:58080/XXXXXX/

Personally Identifying Information and Sensitive Personal Information

Information regarding people, particularly employees and customers are regularly the target of cyber-attacks. Consequently, there is increasing regulation on storing this type of information.

Forthcoming regulation (the General Data Protection Regulation) demands that significant volumes of PII information are stored encrypted. A starting point for this is to ensure that this information is not widely held.

As a test, we looked for information containing HR information (salaries, payroll etc) being held outside Payroll and HR file shares. Whilst we were not able to fully resolve whether the folder structure relates to authorised departments or not, the indications are that information is held well beyond those with “a need to know”.

Recommendations

The file shares within the ACME environment have grown over the years. There’s significant opportunity to review the existing security, retention, data protection and risk management policies and controls to ensure they are fit for purpose and adhered to.

The volume of duplicate and aged information provides huge opportunity to reduce costs associated with storage and improve the productivity of users whilst reducing the security risk. Approaching this as part of a structured change programme will enable the benefits to be realised as part of the planned cloud migration although we would recommend some immediate change to reduce risk.

Page ! of ! 9 10!


100+ emails

Ethnicity Information

Passport Information

Credit Card Details

NI Records

Crimina Record Information

Grievance Information

Medical Information

Salary Details

Bank Details

Personnel Records

Number of files (Thousands)

0 750 1500 2250 3000

1,350

780

976

77

90

120

277

909

222

343

2,533

We would recommend:

• an immediate process to remove or restrict the high risk information identified in this report • extending the discovery process to email, Sharepoint and any other unstructured information

stores and similarly remove or restrict the high risk information contained therein • remove duplicate and aged information prior to commencing any migration activity to reduce

storage by up to 50% • a process to inspect users’ local hard drives for further duplication and risk, particularly where

these devices are mobile and/or unencrypted (such as laptops) • reduce future issues by providing guidance and implement controls backed up by technology

tools to help users store information in a low risk manner • run a crisis management exercise with an ethical hacking team inside the corporate network with

specific mandate to disrupt a landmark site

For ongoing maintenance of a clean data store the Exonar platform can be used beyond discovery to monitor against the revised policies and provide instant feedback about user actions and changes to the duplication, age and risk profile of the unstructured data stores ongoing. This will be helpful in preparing for incoming privacy legislation as well as monitoring the information risk profile.

Page ! of ! 10 10!
