Last updated: Thursday, December 26, 2017
The UpGuard Cyber Risk Research team follows the processes and procedures detailed in the internal governance document “UpGuard Breach Research Process” for breach research, notification, and disclosure. While the research team believes in being as transparent as possible into its operation, these internal process controls restrict publishing some information, such as specific tools and methods, due to the risk of this information being used by a malicious actor to find exposed data.
The UpGuard Cyber Risk Research team finds publicly exposed data, helps the owners secure it, and shares information on how these exposures can be avoided. Reducing data exposures is a public good, and the vast majority of individuals whose data is leaked lack the capacity to identify and remove those exposures themselves. Publicizing these findings raises awareness of the problem of data breaches, both in its scale and the severity of the data exposed. While we believe this activity provides a benefit to the public, and indeed to ourselves as private citizens, it also benefits UpGuard in that UpGuard provides solutions for preventing data breaches and a mature market for cyber risk mitigation would logically benefit UpGuard.
To ensure fair, secure, and standardized treatment for all parties involved in a breach disclosure, UpGuard’s Cyber Risk team has developed a process in consultation with industry leaders and UpGuard’s legal counsel, Fenwick and West. That process is described in the internal document “UpGuard Breach Research Process.” That process is reviewed quarterly by the Cyber Risk team to ensure that it accurately describes the best methods for securing exposed data. Any changes are then reviewed by UpGuard’s legal counsel to ensure that they are in compliance with all applicable laws and regulations.
In the discovery phase of breach research, analysts look for publicly exposed data sets using the approved procedures and tools. When exposed data sets are found, analysts investigate the contents of the data to determine its significance, such as the existence of personally identifiable information (PII) or access credentials. The format of this data determines the methods and tools used in the review process. For example, a group of non-OCR PDFs requires a different review technique than a MySQL dump file.
The Cyber Risk team never attempts to exploit any security vulnerabilities in order to gain access to data or to use credentials to access data (even when those credentials are exposed). The cyber risk team only researches and reports on data that is publicly accessible.
The secure storage of data findings is of paramount importance to the UpGuard Cyber Risk Team. The analyst has a duty to fully understand the scope and breadth of the exposure. With this, they must use their best judgement to determine the sufficient number of records to download in order to accomplish this goal.
During the initial exploration of the data set to determine whether it merits full investigation, the analyst downloads data to an encrypted file container and only works with the data inside of that container. The analyst uses their subject area expertise to determine the sufficient number of records to accomplish this part of the process.
After the analyst determines that the data set has the potential to constitute reportable information, they create an encrypted container volume on an external hard drive. The primary download goes directly into that encrypted volume. The decryption key is never stored on the same drive as the encrypted container. This approach is highly secure while at the same time allowing for reuse of storage media. After completing the secure download stage of the process, the analyst moves to the analysis stage of the process.
The analyst makes the data human-readable in order to commence their analysis of type, scope, and impact. As mentioned, the analyst uses appropriate tools depending on the data type to make it easily reviewable and comprehensible. Analysts do not “crack” any data encrypted by a third-party. All analysis takes place on the analyst’s local workstation; no data is retransmitted or uploaded to cloud services.
Finally, the analyst reviews their findings with the UpGuard Cyber Risk team to determine how to begin the notification process. The Cyber Risk team follows the defined process for notifying affected entities to the best of their ability given the involvement of third parties that vary in their personnel, organization, and preparedness to secure a data breach. If the standard notification process does not result in the data being secured, analysts use their subject area expertise to determine how to reach a successful removal of the data exposure.
Once the data has been secured and there is no risk of data exfiltration, the Cyber Risk team may share non-sensitive data with third parties in furtherance of their objective of educating the public as to the cyber risk environment.
After exposed data has been discovered, the location of that data (whether an IP address, URL, or other resources identifier) is not shared with anyone outside of the Cyber Risk team until UpGuard analysts have confirmed that the data is no longer publicly accessible.
Any information downloaded for either preliminary or deep analysis remains stored on physical media, preventing any possibility of UpGuard leaking data via the internet in the same way as the primary entity. Access to any downloaded information is restricted to only named individuals on the Cyber Risk team approved in the internal “UpGuard Breach Research Process” documentation.
By necessity, the Cyber Risk team must communicate during the analysis process. After a breach has been verified, a code name is assigned with no logical connection to the data or affected entities. While breaches are never discussed publicly or over channels that other individuals could access, use of a code name ensures that even a breach at one of UpGuard’s communication service providers would not compromise the entities involved. Any discussion of ongoing breach investigation is carried out using encrypted chat messaging. No sensitive data is ever shared during an investigation over channels where personnel outside of the Cyber Risk team could access it, even in the event of internal privilege escalation.
Analysts never transmit the original discovered files to external parties, including to media partners. In order to authenticate the existence and validity of discovered data, Cyber Risk Analysts share redacted screenshots of said files only to the extent necessary to substantiate the analyst’s conclusions. All screenshots are redacted to remove PII or other sensitive details.
In keeping with the mission of publicizing cyber risk issues, in order to raise general awareness of digital threats and thereby mitigate them, the UpGuard Cyber Risk Team will release breach findings to the public after the exposure has been secured by the affected entity. The intent behind the UpGuard public disclosure policy is to promote transparency in business and awareness around the prevalence and impact of data breaches. UpGuard presents accurate findings to the public along with analysis to aid in the interpretation of the events.
UpGuard never uses the discovery of a data breach to approach any affected entity in a sales capacity for UpGuard’s separate enterprise services.
The decision to write and publish a breach report is taken only after the exposure has been secured. The UpGuard Cyber Risk Team can also work to help secure a data exposure without publishing a report. The guiding decision in a decision to publicize a breach is whether the public interest is best served by a public report. UpGuard has no obligation to report exposed data. As an institution, we feel compelled to promote visibility and address as many leaked data sets as we feel appropriate. The research team evaluates the projected impact of each data breach, and other relevant factors, in order to prioritize breach notifications.
The manner in which the breached entity responds to the data breach notification may impact the manner in which media are made aware of the situation and when the information is presented.
UpGuard works with members of the media to announce data breach news to the general public. UpGuard does not provide information to journalists leading to unsecured data breach situations and holds media contacts to a strict publication embargo, so that the news announcements do not violate UpGuard’s established timeline. UpGuard also aids in facilitating communications with the affected entity, allowing the company to comment in coverage when possible.
Timely, secure, and thorough deletion of data are primary concerns. Once the UpGuard Cyber Risk Analysis team has sufficiently analyzed data and reasonably determined that relevant parties involved do not require further access to the data, the team follows the documented process for data deletion.
When it's time to purge, the decryption key is deleted and overwritten. Then the encrypted file container (that is now locked forever, because the key is gone) is deleted and overwritten. UpGuard implements a 3x overwrite in order to ensure the effective deletion of this data, using the NIST framework as the warrant for the effectiveness of the process.