Browse Content by Topic:
The Rise of Cybercrime and What Law Enforcement Needs to Know About Protecting Sensitive Data
Author: Roy Adar, VP Product Management, Cyber-Ark Software
Copyright: 9-1-1 Magazine, Feature Content
Public safety professionals continue to adopt new technologies that allow them to monitor potentially dangerous or illegal activities and gain access to information that improves their ability to do their job, and the quality of the services being provided. However, municipalities that purchase and implement these technologies are often at risk themselves from hidden vulnerabilities that can be exploited by cyber criminals. Thus, sensitive data that is necessary for reporting crime and sharing evidence is potentially at risk. One unnamed U.S.-based municipality learned this lesson the hard way when professional hacker Kevin Finisterre was assigned to test its security.
According to The Register, after scanning several IP addresses used by the city's police department, Finisterre discovered they connected directly into a Linux device carried in police cruisers. Using little more than File Transfer Protocol (FTP) and telnet commands, he then tapped into a digital video recorder used to record and stream audio and video captured from gear mounted on the vehicle's dashboard. Obviously allowing hackers to watch police officers responding to calls in real time is a serious security threat, but beyond that Finisterre was able to control the hard drive of the DVR giving him the ability to upload, download and delete videos that are often used as court evidence.
So how do law enforcement agencies protect themselves from a dangerous security threat like the police cruiser DVR hack? First, they must understand the shortcomings of certain technologies. In the case of the police cruiser video hacking, Finisterre used default passwords that were hardcoded into the DVR's FTP server to access the hard drive. FTP was created in 1971 and is a simple way to move files from one device to another. However, because the early engineers who created FTP did not have access to the computer power and software needed for solid encryption, the 40 year-old protocol continues to be a serious weakness for the security of connected machines.
Because it is so outdated, organizations (i.e. law enforcement agencies) that utilize FTP are putting sensitive data at risk. A shortcoming with traditional FTP and even encrypted FTP sessions is that after the data is done moving (also referred to as “data at rest”), it sits on the FTP or SFTP server in plain text. If that FTP or SFTP server is directly connected to the Internet -- as it most likely will be to allow business partners to connect to it -- the data is at risk of being accessed and shared. FTP technology can also slow down business processes, as an organization’s IT team often needs to modify FTP scripts in order to support a new business initiative or bring on a new business partner that needs to exchange sensitive information with the system. Furthermore, having the ability to know if the files were transferred correctly and on time (i.e., monitoring) is very difficult to do with transfer methods such as FTP.
Understanding this vulnerability, The MTN Group Limited, a provider of communication services that offers cellular network access and business solutions in South Africa, needed a secure and reliable means to exchange data with legal authorities. South African mobile network operators are legally required to quickly, securely and accurately transfer data critical to legal investigations. The manual process required MTN SA to print and physically courier the data to law enforcement agencies. After reviewing alternatives, MTN SA decided to implement Cyber-Ark’s centralized governed file transfer solution that secures data at rest and in transit and allows the organization to exchange automatically encrypted business information quickly and securely with those who are granted the privileges to access it. Once they implemented this solution, MTN SA was able to send automated notifications of new subpoena requests, as well as automated updates announcing the finalization of investigation data. Similarly, law enforcement agencies were able to log their subpoenas directly and receive electronic copies of data. Since the company handles hundreds of investigations per month, this automated process was critical in cutting down on wasted hours faxing and shipping data.
Similar to MTN SA, Sunderland City Council a metropolitan district and one of the largest cities between Leeds and Edinburgh, England, needed to share information daily between partners including the police, Council, drug service providers and many other agencies. Historically the various departments shared information via email but due to sensitivity and security concerns, any personal information or identifying details were removed from these emails. Thus, much of the data shared between agencies was incomplete and unreliable. In need of a safe and secure way to access, store, manage and transfer data, Sunderland City Council looked to governed file transfer technology to control and manage who has access to certain files within a centralized and secure system providing tight control over sensitive data and audit trails. The solution not only allowed the Sunderland City Council to communicate sensitive information securely and completely, but also provided detailed tracking capabilities giving the organization the peace of mind that it would meet ISO standards.
Unfortunately, with cyber criminals becoming more and more sophisticated, law enforcement agencies and their partners cannot put complete trust in existing FTP technologies. The first step to protect an organization from being compromised starts with a comprehensive risk assessment of the entirety of its IT assets to asses its vulnerabilities—inclusive of both software and hardware. If the unnamed government municipality had assessed their hardware more thoroughly, it would have realized that the default passwords in the DVR’s FTP server were vulnerable and could have taken steps to prevent the hack. As seen with both MTN SA and Sunderland City Council, modern governed file transfer solutions can help agencies safely communicate and ensure compliance with state and federal regulations related to privacy and data security.
Roy Adar is vice president of product management at Cyber-Ark Software (www.cyberark.com) where he is responsible for leading definition and delivery of Cyber-Ark product-lines, product positioning and overall product roadmap. You can contact the author at roya [at] Cyber-Ark.com.