The Data Security Law has been officially announced! How to manage risks and protect sensitive corporate data?

On June 10, 2021, the "Data Security Law of the People's Republic of China" was officially announced and will come into effect on September 1. The "Data Security Law" emphasizes the responsibilities that enterprises should bear in protecting data security: enterprises need to formulate relevant systems to ensure data security, remedy data security risks, and report data security incidents. If the enterprise refuses to comply with the law or causes a major data leakage accident, it will be fined not less than 100,000 yuan and not more than 1 million yuan, and the directly responsible supervisor and other directly responsible persons will be fined not less than 10,000 yuan and not more than 100,000 yuan. If there is a large amount of data in the enterprise, security operation and maintenance personnel must take these laws and regulations seriously, because once a data leakage incident occurs, not only the enterprise will be punished, but also the directly responsible person.

[[405273]]

TDP is a new generation of network traffic detection and response (NDR) product driven by intelligence under Weibu Online. It is an all-round threat detection and response platform based on bypass traffic, which widely covers traditional botnets, APTs, Web and non-Web attacks, business risk mining, and asset sorting. Weibu Online has been receiving inquiries from customers in the financial, Internet and other industries: "Can your TDP prevent sensitive data leakage?" Today, let's disassemble the data leakage prevention function in the asset & risk module of TDP.

Passive traffic monitoring to discover all API interfaces

“I know all the APIs you don’t know”

The main way for sensitive data to leak is through API interfaces. However, it is very difficult to manage interfaces in practice. Enterprise security operation and maintenance personnel often find it difficult to answer the following questions:

1. How many interfaces does the enterprise have now? How many of these interfaces can be crawled to obtain sensitive information?
2. Are there any interfaces that should not be exposed but can be crawled?
3. Currently, is the company’s sensitive information interface transmitting data externally? What data is being transmitted?

Where there are assets, there are risks. TDP monitors the traffic of assets in various parts of the enterprise through bypass mirroring to detect potential data leakage risks. After TDP accesses all the egress traffic of the enterprise network, it will continue to investigate all the API interfaces of the enterprise. Following the traffic, TDP can find external interfaces that are ignored or not managed by the enterprise, and can also show in real time whether the interfaces transmit sensitive information. When security operation and maintenance personnel find sensitive information leakage, they can ban the user IP given by TDP.

After the interface is checked clearly, enterprise security operation and maintenance personnel can use TDP's "plaintext sensitive information" and "API risk" functions to prevent information leakage and anti-crawling.

Plain text sensitive information function:

"I know who dragged away what a second ago!"

According to the characteristics of user services, TDP defines email, mobile phone, ID number, and bank card number as sensitive information. In order to prevent the recurrence of the "1.18 billion in 2 years" incident, TDP has a monitoring mechanism for plaintext sensitive information:

1. If an interface returns plaintext sensitive information, a record will be left in the TDP interface;

2. TDP will use fields and codes to show what plaintext sensitive information the user accessed and returned, and will also record the user's IP, number of visits, and other information;

After interpreting all the information, a complete story can be drawn:

Someone at a certain location with IP address ***.***.*.*

During the period 2021/06/08 16:00

Obtained sensitive information in plain text such as email/mobile phone/ID card/bank card.

In addition, security operations personnel can see the specific code of the returned content and have a clearer understanding of the details.

Next, you only need to check the relevant IP addresses to get to the bottom of the matter: if it is normal internal business, then let it go; if there is a risk with the internal host, then check and kill it; if it is confirmed through threat intelligence that this is a hacker/black industry IP, then it will be blocked at best and reported to the police at worst.

API Risk Features:

"My interface keeps jumping back and forth. Is there something wrong with you?"

Some black and gray industries do not need sensitive data of enterprises, but data generated in daily business of enterprises, such as enterprise information data, news releases, etc. They will also crawl a large number of business interfaces. If the crawling frequency is too large, it may cause consequences such as website crash. Therefore, the behavior of repeatedly jumping across business interfaces is also of great concern to security personnel.

TDP also has a monitoring mechanism for API interface risks:

1. TDP monitors the number of visits to the enterprise API interface and uses the number of visits and time periods to form a trend chart;

2. TDP will also monitor the total number of times all users access the enterprise API, and can show whether the number of visits by a single user is too many. At the same time, the data returned by a single user will be displayed in JSON format;

Similarly, after interpreting all the information, we can get a complete story:

Someone at a certain location with IP address ***.***.*.*

During the period 2021/06/08 16:00

The access frequency is 4.5 times higher than that of ordinary users, with a total of 124,500 visits

Some information in JSON format was crawled.

Next, you only need to check the relevant IP addresses to reveal the truth: if it is normal internal business, then let it go; if there is a risk with the internal host, then check and kill it; if it is confirmed through threat intelligence that this is the IP address of an external illegal crawler, then block it.

What other risks can TDP monitor?

We believe that there are three types of risks in enterprise assets that deserve the most attention: login risk, data leakage risk and API risk. TDP can passively monitor the enterprise's terminals, login backends, and ports that may become attack surfaces by mirroring bypass traffic. It can also find out which accounts have weak passwords and which login behaviors are suspicious. In addition, TDP can also prevent common business risks such as database collision and DDoS attacks.