Mar 06, 2024The Hacker NewsData Security / Cloud Security

Every Google Workspace administrator knows how quickly Google Drive becomes a messy sprawl of loosely shared confidential information. This isn’t anyone’s fault; it’s inevitable as your productivity suite is purposefully designed to enable real-time collaboration – both internally and externally.

For Security & Risk Management teams, the untenable risk of any Google Drive footprint lies in the toxic combinations of sensitive data, excessive permissions, and improper sharing. However, it can be challenging to differentiate between typical business practices and potential risks without fully understanding the context and intent.

Material Security, a company renowned for its innovative method of protecting sensitive data within employee mailboxes, has recently launched Data Protection for Google Drive to safeguard the sprawl of confidential information scattered throughout Google Drive with a powerful discovery and remediation toolkit.

How Material Security helps organizations safeguard Google Drive

Trying to answer fundamental questions about what’s in Google Drive and where it’s shared is painstakingly manual using the Workspace admin dashboard, and working with the Drive API is costly and complex. Given the breadth of sensitive content, this is an area that warrants focus, but it’s challenging to get to the depth required.

Material is backed by a powerful data platform that syncs with your Google Workspace tenant to build out a structured model of historical file contents, metadata, permissions, and sharing settings that is kept up-to-date based on ongoing activity. This data platform enables in-depth inspection that wouldn’t be possible by interfacing with the Drive API alone. With this data platform as the foundation, Material:

• Scans file contents against a set of custom built ML-based detection rules to identify and classify sensitive content across a wide range of PII, PCI, PHI, and other confidential data categories
• Calculates file and folder permission sets and sharing settings to build a unified access model that is easier to understand and demonstrate for compliance
• Enables automated access revocation based on precise search results and activity triggers to continuously reduce the risk profile

The precision of Material allows you to effectively wrangle such a complex and vast data repository without getting in the way of daily use – security without impacting productivity. See it for yourself.

Illuminate blind spots across your Google Drive footprint

With a powerful data platform as the foundation, you gain an expressive search interface that guides you through your Google Drive footprint to identify toxic combinations worthy of investigation. You can search against file metadata, ownership, content, location, and sharing to answer questions such as:

• Show me every file that contains financial records that are shared externally
• Show me every file viewable via a public link that contains PII
• Show me every file accessible by these users who are departing the company next week
• Show me every file with confidential information that’s shared with a gmail address
• Show me every file in a Shared Drive that contains health records

As you illuminate more of those dangerous blind spots, you continuously gain a more complete view of the environment with heightened security posture – the types of things that make it easier to sleep at night.

Block exfiltration paths with automated remediation

The primary remediation mode to fix toxic combinations in Google Drive is to revoke access. That sounds easy on the surface, but when you consider the conditions of the whole space, it becomes a multi-dimensional puzzle. When is external sharing valid and when is it not? Are there users that belong to groups that they shouldn’t? Which settings should change when a document is modified to add confidential information?

Precise search and activity-based filtering enables remediation workflows for scenarios such as:

• Automatically revoking public links for any file that contains classified information
• Sending users a message to confirm external sharing when files contain any sensitive data
• Cutting off access to all files shared with specific external domains in a single bulk job
• Revoking all access to a specific account that displays behaviors of a compromise
• Resetting any files accessible to the organization that contain personal health information to Restricted

Applying automation generally can get in the way of day-to-day use, so it’s important to build with precision – a better understanding of the nature of content, which domains are trusted, and common user behaviors help you contain the surface area the right way.

Keep your productivity suite productive with Material Security

At Material, we focus our efforts on the productivity suite because we believe that it’s critical infrastructure to any organization. And as critical infrastructure, in-depth security defenses that can effectively stop attacks and reduce risk across the environment are paramount.

The new capabilities with Data Protection for Google Drive solve hard data discovery, governance, and access problems that have traditionally been challenging to do without dedicated tooling.

Want to see it for yourself? Schedule a personal demo with our team today.

We analyzed 2,5 million vulnerabilities we discovered in our customer’s assets. This is what we found.

Digging into the data

The dataset we analyze here is representative of a subset of clients that subscribe to our vulnerability scanning services. Assets scanned include those reachable across the Internet, as well as those present on internal networks. The data includes findings for network equipment, desktops, web servers, database servers, and even the odd document printer or scanning device.

The number of organizations in this dataset is smaller (3 less) than the previous dataset used in last year’s Security Navigator 2023 and some organizations were replaced by new additions. With the change of organizations comes a different mix of assets, which leaves comparing the previous results akin to comparing apples to oranges (we might be biased), but it’s still worth noting similar patterns where possible.

This year, we revisit the menacing vulnerability theme with an eye on the ever-present and lingering tail of unresolved system weaknesses. The waves of newly discovered serious issues are just for our attention with existing unresolved issues, seeming like a hydra that keeps on growing new snaking heads as soon as you dispatch others.

Assessing whether a system is adequately protected is a challenge that requires skill and expertise and can take a lot of time. But we want to learn of any weaknesses beforehand rather than having to deal with the fallout of an unplanned “free pentest” by a random Cy-X group.

Vulnerability Scanning Findings by Severity

Examining the severity rating share per unique Finding we see that the bulk of unique Findings, 79%, are classified as ‘High’ or ‘Medium’. However, it is also worth noting that half, 50.4%, of unique Findings are considered ‘Critical’ or ‘High.’

The average number of ‘Critical’ or ‘High’ Findings has decreased by 52.17% and 43.83%, respectively, compared to our previously published results. An improvement can also be observed for Findings with severity ratings ‘Medium’ and ‘Low’ being down 29.92% and 28.76%. As this report uses a slightly different sample of clients to last year, a YoY comparison has limited value, but we see evidence that clients are responding well to the findings we report, resulting in an overall improvement.

The majority of Findings (78%) rated ‘Critical’ or ‘High’ are 30 days or younger (when looking at a 120-day window). Conversely, 18% of all findings rated ‘Critical’ or ‘High’ are 150-days or older. From a prioritization perspective, ‘Critical’ or ‘High’ real findings seem to be dealt with swiftly, but some residual still accumulates over time. We see, therefore, that unresolved Findings continue to grow older. Indeed, ~35% of all unique CVEs are from findings 120 days or older.

The chart above shows the long tail of unresolved real findings. Note the first remarkable long tail peak around 660 days and the second one at 1380 days (3 years and 10 months).

A window of opportunity

The high average numbers of ‘Critical’ and ‘High’ findings are largely influenced by assets running Microsoft Windows or Microsoft Windows Server operating systems. Assets running operating systems other than Microsoft, such as Linux-based OS, are present, but these are reported proportionally far less.

We should note, however, that the ‘Critical’ or ‘High’ findings associated with assets running Windows are not necessarily vulnerabilities in the operating system but can also be related to applications running on the asset.

It is perhaps understandable that unsupported Microsoft Windows and Windows Server versions are prominent here, but it is surprising to find more recent versions of these operating systems with severities rated as ‘Critical’ or ‘High’.

Industry perspective

We are using NAICS for our industry classification. The results here only consider Findings based on scans of hosts rather than services such as web applications. The average unique real Finding per unique asset is 31.74 across all organizations, denoted by the dashed horizontal line in the chart below.

Our clients in the Construction industry appear to be performing exceptionally well compared to clients in other industries, with an average of 12.12 Findings per Asset. At the opposite end of the spectrum, we have the Mining, Quarrying, and Oil and Gas industries, where we report an average of 76.25 unique findings per asset. Clients in Public Administration surprised us by outperforming Finance and Insurance with an average of 35.3 Findings per Asset, compared with 43.27, despite the larger number of Assets. Of course, these values are derived from the set of clients present in our sample and may not represent the universal reality.

When comparing the average severity per unique asset per Industry, we see a mixed picture. We can ignore Health Care and Social Assistance and Information, with a relatively small unique asset count, that results in averages that are disproportionate in relation to other Industries.

Our overall Industry average for Severity rating High is 21.93 and Mining, Quarrying and Oil and Gas Extraction have more than double that average.

Similarly, Finance and Insurance with Accommodation and Food Services also overshot the overall average by 10.2 and 3.4 findings per unique asset, respectively. The same three Industries exceeded the overall average for findings rated Critical, with Accommodation and Food Servers doing so by almost a factor of 3.

Vulnerability is getting old

As we revisit the menacing vulnerability theme this year, we once again look suspiciously at the ever-present and lingering tale of unresolved system weaknesses that are just getting older. We assessed over 2.5m vulnerability findings that we reported to our clients and over 1,500 reports from our professional ethical hackers to understand the current state of security vulnerabilities and consider their role and effectiveness as a tool for prioritization.

The bulk of unique Findings reported by our scanning teams – 79% – are classified as ‘High’ or ‘Medium,’ and 18% of all serious findings are 150 days or older. Though these are generally dealt with more swiftly than others, some residuals still accumulate over time. While most findings we identify are resolved after 90 days, 35% of all findings we report persist for 120 days or longer. And way too many are never addressed at all.

Our scanning results illuminate the persistent problem of unpatched vulnerabilities. Meanwhile, our Ethical Hacking teams more frequently encounter newer applications and systems built on contemporary platforms, frameworks, and languages.

The role of the Ethical Hacker is to conduct Penetration Tests – to emulate a malicious attacker and assess a system, application, device, or even people for vulnerabilities that could be used to gain access or deny access to IT resources.

Penetration Testing is generally considered a component of Vulnerability Management but could also be seen as a form of Threat Intelligence that businesses should leverage as part of their proactive defense strategy.

17.67% of findings our Ethical Hackers reported were rated as ‘Serious’, but, on a brighter note, hackers must work harder today to discover them than they had to in the past.

This is just an excerpt of the analysis. More details on our analysis of vulnerabilities and Pentesting (as well as a ton of other interesting research topics like VERIS categorization of the incidents handled in our CyberSOCs, Cyber Extortion statistics and an analysis of Hacktivism) can be found in the Security Navigator. Just fill in the form and get your download. It’s worth it!

Note: This informative piece has been expertly crafted and generously shared by Charl van der Walt, Head of the Security Research Center, Orange Cyberdefense.