IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.
Sponsor Content
What does this mean?

Protecting Public Data and Trust – A State DOJ Case

Capitol building
.
Getty Images

Hacktivists and Others Targeting Politically Sensitive Data Estates

On June 27, 2022 - the California Department of Justice launched a new Firearms Dashboard Portal with altruistic intentions to “improve transparency and information sharing for firearms-related data” and “balance its duties to provide gun violence and firearms data to support research efforts while protecting the personal identifying information in the data the department collects and maintains.” Fast forward less than 30 days, the Attorney General’s Office is now being sued by two different parties, a national nonprofit on July 1 and a group of four California citizens on July 18 respectively. Both lawsuits are predicated on the assumption that the bold text was not upheld.

The California DOJ and the California attorney general are not alone in facing the three pressures that incited this particular incident.

  • Citizens want greater transparency when it comes to community health data, criminal activity and other politically impacted domains like firearm ownership.
  • This data comes in many forms (databases, video footage, internal reports/memos, court documents, etc.) and resides on a broad array of digital locations.
  • This data is of special interest to hackers looking to leverage personal identifiable information (PII) for financial gain OR hacktivists desiring to expose a particular truth or perceived truth by leaking the information to the broader public.

As of this writing, we do not know fully what the data source was, where it was hosted, its architecture, preventative measures that were in place or the attack vector used. Regardless, state/city/county CIOs and CISOs have the task to protect and govern this data throughout its life cycle no matter where the data resides. Thus, the internal conversations happening across DOJs and other agencies throughout the country are centered around preventing similar data and financial loss. Budgets and personnel resources are not easy to come by for mitigation efforts; thus, one avenue worth exploring is simplification and unification of data governance. Below is a discussion on how organizations can more effectively prevent these types of attacks through the use of multiple Azure Security capabilities and Microsoft Entra.

PERFECTION ISN'T THE GOAL - AWARENESS IS

Threats to expose or steal data assets like state-held PII can come in the form of network-based attacks, compromised identities, insider threats and more. To help detect some of these threats and the vulnerabilities they exploit, Microsoft Defender for SQL (if the data lives in a SQL environment) provides a native assessment capability that can be performed at a single moment in time or established as a weekly cadence. The service scans for necessary patches, poorly configured settings, excessive permissions for users, and other baseline management functions.

Microsoft5.png
Beyond mitigating static vulnerabilities via periodic assessments, you can actively monitor your SQL instance with Microsoft Defender’s Advanced Threat Protection capabilities for persistent threats causing havoc in your account. Security analysts can inspect alerts of potential brute force SQL credentials, access from unusual locations or a dormant account, access from an unfamiliar IP address or potentially harmful application, and unusual exports from an authorized user or DNS tunneling. This level of awareness won’t prevent 100% of attacks but it will enable teams to quickly limit the impact of an attack. Stopping attacks midstream can avoid full blown data exposure or exfiltration like the situation in CA. Other subtle threats can also be detected where users have elevated their privileges or the privileges of others, indicating possible horizontal movement or malicious intent.

Microsoft6.png
AUTHENTICATION AND ACCESS - THE COSTCO METHOD

If you’ve visited your local Costco in the last decade, your experience has been a derivative of the following events:

  • Walk in and show your Costco ID/shopper card (which they typically never validate is you)
  • Shop and partake in as many food samples as possible
  • Scan your Costco ID/shopper card to begin scanning items and checkout
  • Hand over receipt for inspection of your cart to validate what you have is what you paid for, and a magic sharpie signifies you can leave
  • Go home and explain to your partner why you needed the family-sized Doritos bag and a four pack of emergency flashlights

Just like your average Costco experience wherein Costco defines the conditions for accessing, interacting with and leaving with the consumer goods in its stores, an organization like a state department of justice or city/county government should restrict internal user access to sensitive citizen information by a well-defined set of conditions. The emphasis is on internal user access because often attacks can come in the form of an identity that is being manipulated or used by an external party. This is ironically similar to the Costco card that is often wielded by a family member or friend, who is in fact not a real Costco member. #MembersOnly

A state agency or city/county CISO often will define how they protect a particular data set by who they want to access the data, how they want these users to access it, and what the extent of their access entails. For conversation's sake, let’s assume the underlying data for a public information portal was in a SQL database in Azure Government as stated previously. The first check at the door would be enabling multifactor authentication via Azure Active Directory (AAD), a component of Microsoft Entra. Secondly, it is not enough that a user can authenticate with their username/password and other factors like the use of Microsoft’s Authenticator App. Organizations should consider deploying Conditional Access Policies via AAD to control what devices a user can authenticate from and where they can login from.

Microsoft7.png
Moreover, with Microsoft Entra’s role-based access control (RBAC) you can control what resources can be accessed by which user and what actions they can perform. You can also limit VM access to just-in-time through other capabilities in Azure, which allows admins to do only the work that needs to be done in a certain time frame.

Just like Costco, it’s important to have more than one mitigation in place to protect critical assets and the spicy hot deals on patio furniture.

PROTECTING SENSITIVE DATA - GOVERNMENTS WITH UNGOVERNED DATA

Microsoft Purview (previously known as Azure Purview) can be deployed to manage multiple data sources in Azure like in this example, other cloud infrastructure or on premises. Using Microsoft Purview Data Map, an administrator can create a collection that can be permission trimmed to a specific set of users or groups. Moreover, the individuals in the organization that can alter or change Microsoft Purview policies can also be governed by specific roles within the governance portal.

Microsoft8.png
For most of the blog, we’ve focused primarily on sensitive PII data living on server infrastructure in Azure (IaaS). Yet, as evidenced by multiple premature releases of judicial and legislative decisions causing great political and civil impact, not all sensitive information lives on a SQL server. Sensitive memos, discussions about new legislation, government research, video footage and case files are stored and acted upon within Microsoft 365 applications. Microsoft Purview in Microsoft 365 allows a state DOJ to label sensitive content manually or automatically in Exchange, OneDrive, Teams, Power BI, etc.

With sensitivity labeling and the power of other native capabilities like data loss prevention (DLP) and Microsoft Cloud App Security (MCAS), users will be unable to copy and paste or distribute sensitive information to unintended audiences/applications. Also, printing and downloading functionality can be limited by these solutions to prevent other forms of data exfiltration.

Microsoft9.png
TRANSPARENCY - THE OPPORTUNITY AND CYBER ISSUE FACING EVERY STATE DOJ 

The amount and types of data being shared with the public will continue to grow and change respectively. Therefore, CIOs and CISOs will need to be closely aligned as more agencies try to meet the demand of their citizens without indirectly impacting citizen privacy or the safety of public officials. Cybersecurity grants will continue to aid in the investments necessary to protect this data; however, resourcing will continue to be a gap for the foreseeable future.

Therefore, technology can help alleviate some of the administrative burden of protecting this data. DOJs or the supporting state OIT will need a holistic platform approach, appropriate visibility for incident response and vulnerability management on these data sources, multilayered zero-trust strategies for authentication, and native data labeling and governance across wide-ranging applications. Deploying these solutions will not prevent all attacks or cover every threat vector (for example this article does not address firewall solutions). Yet, it may be prudent to start with a comprehensive platform strategy to integrate other mitigating solutions in at a later point in your plan of action and milestones.