Every day, it seems, we hear about another data breach that compromises personally identifiable information (PII), health data (PHI), or financial details. I do not think it’s fair to single out any one company – remember, these breaches are principally caused by bad actors perpetuating cybercrime. However, if you survey all the recent breaches, common elements surface. As we approach the new year, here, in no particular order, are eight areas of IT security for you to consider to avoid becoming the next data breach news story.
1. Overreliance on firewalls
Data security has a strong tradition of borders and boxes. Twenty years ago, at the dawn of the Internet era, edge devices (firewalls) were the most common way to protect “internal” data networks. During the past ten years, we’ve also added emphasis to container security (file shares, document libraries and encrypted databases). Protecting the network perimeter is important, but it shouldn’t be the only required control as many of today’s threats come from trusted insiders.
Think about visiting an office building in a major city. Although you need to authenticate yourself at the front door (secure ID if you’re an employee, two factors if you’re a visitor (ID and an appointment)) the whole building isn’t open to you past the front door. Elevator banks, locked office doors, and reception areas provide additional screening through the building. Guarding the front door is important, but it’s not the only step, and once someone accesses your internal network, the firewall alone won’t prevent them from getting into unlocked doors and controlled data.
2. Out-of-date antivirus and anti-malware
In many breaches, although local PC based antivirus and anti-malware may have been installed, those defenses were neither current enough nor effective. New threat vectors and exploits are discovered daily, and seven-year-old default antivirus installation doesn’t offer much protection. PCs and other internal systems pose an exciting target for malware since they can be compromised. With this in mind, checking the security posture of clients connecting to your network and preventing/limiting their access will help prevent malware propagating throughout the enterprise.
3. Unencrypted sensitive data
Multiple layers of controls provide in depth defense against an attack. Even if a user tunnels his or her way through border controls and gets into an open system, it won’t do them much good if sensitive data is stored in encrypted formats. Decrypting an encoded file is usually only possible using long-term brute force attacks. Furthermore, encrypted files are usually unsearchable, so readable file fragments don’t find their way into search results or regular expression queries looking for credit card numbers or other PII.
4. Two-factor authentication
Many point-of-sale devices in the US are unencrypted and accept credit card transactions using only a local paper signature. European users, however, have grown accustomed to chip-and-PIN credit cards. Card use requires a locally embedded secure chip combined with a user PIN to encrypt and accept transmissions. Encrypted sale devices are clearly far more secure than unencrypted single factor devices. (The same is true for local file systems – encrypted file systems provide better protection than open systems).
The same concept should be extended to the breadth of your network. Two-factor authentication is astronomically more secure than single factor passwords. Amplifying the security level before network access from remote, untrusted networks, or before using highly privileged user accounts, establishes additional context around appropriate data access.
5. Data federation
How many people do you know who use Excel? Everyone. That ubiquity poses a challenge. Normalized data structures frequently keep different aspects of sensitive data in different tables or databases. Customer number, names, addresses, transaction history, credit card numbers and social security systems might all be kept on different servers and joined by queries only when needed. It’s an optimal architecture for performance and security in part because just knowing that customer number 3456 has a given Social Security Number doesn’t help if you don’t know anything else about that customer number.
Free eBook: Modern Retail Security Risk – Get your copy now.
But “power user” data modeling can flatten all those structures into a simple table or spreadsheet that combines different data sources into a single row. It’s usually done so users can build their own queries, reports, or graphs. However, it’s risky to combine all those ingredients in a single file whose breach might translate into significant liability for your organization, especially when other controls on that file are weak or non-existent.
Even if the user files and PC databases are protected, the temporary download files are often overlooked. A month old CSV file of customer PCI data is still a treasure trove even if a few credit card numbers have already expired.
6. Take the audit trail
Breaches can happen, but it’s frustrating to learn about systems that had been left open for months or years before the activity was discovered. Don’t wait to enable auditing. Configure it in advance and review the logs monthly or weekly to identify areas for further inquiry. (Hint, the next threat is already here). Real-time alerts of high-risk activity can also help information security teams to focus on the most important areas of concern.
7. Privileged user access tracking
Administrative/root logins pose a great challenge. They are necessary for administration, but their power makes them prime candidates for misuse and malware attacks. Two-factor authentication as noted above is one key protection, especially for these power accounts. Privileged users should only be granted access to the tools and resources they require to do the job at hand rather than complete visibility and unrestricted access to the underlying infrastructure. Hackers can’t attack what they can’t see. In addition, running extensive forensics on all use of systems or privileged account usage – or attempted usage – can help identify attack sources for protective response. Failed logins or repeated logins for system admins is a warning flag for a breach in process.
8. Minimize staff turnover
If there’s a lot of turnover in corporate information security, watch out. It’s a red flag for many reasons. Sometimes, it reveals that team members are frustrated at the lack of investment and attention paid to security initiatives. It also reduces the collective wisdom about system configurations and historic practices that provide key guidance in shaping responses to data breaches or preventing future incursions.
No list is perfect, but these eight considerations can cover many of the known risk factors as you protect your enterprise from the rising storm of cybersecurity attacks. Be prepared.
By Chris McNulty, CTO, Cryptzone and HiSoftware
Bio: As the Chief Technical Officer of Cryptzone and HiSoftware, Chris McNulty has global responsibility for the company’s technology strategy for SharePoint and other areas including cloud, mobile and Web compliance and security. McNulty brings over 20 years of software experience, previously he served as CTO, Windows Systems Management at Dell Software, where he oversaw solutions for SharePoint, Office 365, Yammer and related technologies. Prior to that, McNulty led the SharePoint consulting practice at KMA, a Boston based Microsoft Gold Partner.
McNulty is a Microsoft SharePoint MVP, MCTS, MCSE, MSA and MVTSP. This March he was named one of the Top 25 SharePoint Influencers for 2014. A frequent speaker at events around the globe, McNulty is the author of the “SharePoint 2013 Consultant’s Handbook” among other books. He also blogs at http://www.chrismcnulty.net/blog. He holds an MBA in Investment Management from Boston College and has in-depth experience in financial services technology gained with John Hancock, State Street, GMO and Santander.
