Specialists at ExtraHop analytics have warned that corporate security, analytics and equipment management tools can collect much more data than their customers think.
Researchers do not disclose names of specific companies and software, but report that some analytics and security solutions transmit information of their users to remote servers, and people do are not aware about it.“What was most alarming to us was that two of the four cases in the advisory were perpetrated by prominent cybersecurity vendors. These are vendors that enterprises rely on to safeguard their data”, — said Jeff Costlow, ExtraHop CISO.
The ExtraHop report describes four such cases recorded in 2018-2019.
They do not notify their customers about transferring of the data: an endpoint security solution, equipment for management of hospital software, surveillance cameras, and security analysis software used by an unnamed financial institution.
Read also: Developed the most powerful and intelligent Zip-bomb in the IT history
Even worse, after examining the cases of a hospital and financial institutions, analysts concluded that due to data transfer there are potential legal risks associated with the disclosure of confidential information to third parties.
Overall, the researchers recorded:
- transferring of encrypted traffic to the public cloud after the evaluation is completed;
- sending data to the cloud without authorization; sending data to a known malicious IP address located in China;
- sending more than 1 TB of user data from the United States to suppliers’ servers in the UK.
Researchers note that collecting and transmitting data is not illegal in itself, but if it happens correctly and while informing the client. Unfortunately, in the discovered cases, everything was completely wrong.
For example, security cameras transmit data to an IP address in China, which was previously associated with the spread of malware, and analytical software seems to have violated the Graham-Lich-Bliley law by transferring personal data to foreign citizens. In another case, the experts found that the solution, which ended the trial period, continued to collect information for at least another two months.
“It is likely that security solution providers are communicating with their home servers for legitimate purposes, given their architecture or design, or it is generally the result of a misconfiguration. However, it is a very disturbing fact that large amounts of data are transferred from the customer’s environment to the supplier without the knowledge or consent of the customer”, — summarizes Jeff Costlow.
How to mitigate?
ExtraHop’s security advisory recommends that companies take the following actions to mitigate these kinds of phoning-home risks:
- Monitor for vendor activity: Watch for unexpected vendor activity on your network, whether they are an active vendor, a former vendor or even a vendor post-evaluation.
- Monitor egress traffic: Be aware of egress traffic, especially from sensitive assets such as domain controllers. When egress traffic is detected, always match it to approved applications and services.
- Track deployment: While under evaluation, track deployments of software agents.
- Understand regulatory considerations: Be informed about the regulatory and compliance considerations of data crossing political and geographic boundaries.
- Understand contract agreements: Track whether data is used in compliance with vendor contract agreements.
ExtraHop also urges companies to ask questions of their vendors to ensure they understand how their data is being used, where their data is going and the vendor protocols for phoning home. ExtraHop believes these actions will hold vendors more accountable and ultimately limit the exposure of sensitive enterprise data.
