A cyber analytics firm has found several instances of business software that collects and sends information home, a behavior that could lead to exposure of sensitive business data.
While its report does not reveal the name of the vendors of the software, ExtraHop explains in four case studies how installed software sent data to external locations without the knowledge of companies.
While this data transmission may not be malicious or a risk to privacy on its own, as it could only be diagnostic data for all we know, it is important for companies to have full control over what data is sent from their network.
Enterprise software sending data home
Collecting and delivering information from the server of a client is a behavior also known as “phoning data home” that could potentially have legal and regulatory implications, especially when the delivery of data is carried out without the knowledge of the client.
In today’s security advisory, ExtraHop defines the phoning home process as “customer-to-server communication” that can be beneficial to both third-party vendors and customers when it is transparent and well documented.
However, “when customers are unaware of this vendor exfiltration, it risks the exposure of sensitive data in the vendor’s environment, such as Personally Identifiable Information (PII).
“To be clear, we don’t know why these vendors are phoning home data. The companies are all respected security and IT vendors, and in all likelihood, the phoning home of data was either for a legitimate purpose given their architecture design or the result of a misconfiguration,” adds ExtraHop’s advisory.
“But the fact that large volumes of data are traveling outbound from a customer environment to a vendor without the customer’s knowledge or consent is problematic.”
Software with an appetite for data
ExtraHop’s report shows four cases uncovered during 2018 and during the first weeks of 2019, when software was monitored to phone home data to its own servers, without the prior permission or knowledge of the customers.
The types of software vendors range from endpoint security and device management to consumer security camera and security analytics, and customers had no idea in all the examples highlighted that data was being sent from their environment to vendors controlled by the software.
ExtraHop observed the company software while:
- Sending encrypted traffic to the public cloud after an evaluation had ended
- Sending data to the cloud without authorization
- Sending data to a known malicious IP address located inChina that hosts malware
- Sending more than 1 TB of customer data from theUnited States to vendor
- servers in the United Kingdom
ExtraHop’s report exposes companies to a wide range of risks, including unauthorized access to data, device management providers sending data to the cloud, potential vectors for malware downloads, possible PII exposure, and breaches of Graham-Leach-Bliley.
“What these examples underscore is that it’s very difficult for enterprises to really understand what’s happening with their data,” adds ExtraHop.
“How can you expect to know when a bad actor is exfiltrating data when you don’t know that your trusted vendors are pulling it out of your environment and for what purpose?”
Unauthorized data transmission risks
Data protection is a hot topic in most countries, working on or already implementing data protection rules like GDPR, and exposing sensitive information to a third-party environment may result in severe monetary penalties as well as exposure of business clients to identity theft and customer loss caused by reputational damage.
ExtraHop recommends the following steps to detect and block security software by transmitting potentially sensitive data in order to mitigate these risks:
Monitor for vendor activity on your network, whether they are an active vendor, a former vendor or even a vendor post-evaluation.
- Monitor egress traffic, especially from sensitive assets such as domain controllers.
- Match egress traffic to approved applications and services.
- Track deployment of software agents as part of an evaluation.
- Understand regulatory considerations of data crossing political and geographic boundaries.
- Track whether data is used in compliance with vendor contract agreements.
“We decided to issue this advisory after seeing a concerning uptick in this kind of undisclosed phoning home by vendors,” also said Jeff Costlow, ExtraHop CISO. “What was most alarming to us was that two of the four cases in the advisory were perpetrated by prominent cybersecurity vendors.”
“These are vendors that enterprises rely on to safeguard their data. We’re urging enterprises to establish better visibility of their networks and their vendors to make sure this kind of security malpractice doesn’t go unchecked.”
ExtraHop’s advisory aims to make companies aware that phoning their data from software is not an unusual thing, but that in the right circumstances it may lead to a lot of Headaches when it is conducted without their knowledge.
More information and additional details on the four case studies, including technical information on how the behavior was identified during the analysis of customer computer environments, are available in the ExtraHop Safety Advisory.