If you don't think your data is vulnerable, just search Google for “data breach,” and limit the search to news in the last month. You'll get more than 2,000 results. And while most may be redundant, there are enough unique stories to demonstrate that if your company network is accessible via the Internet, it is potentially under attack.
In 2011, the top 10 reported data breaches netted hackers more than 170 million data records, including personally identifiable information (PII) such as names, addresses, and email addresses. More serious information including login credentials, credit card information, and medical treatment information was also exposed.
While there is no data on the security employed on the systems from which this data was taken, the variety of companies and the volume of data compromised is significant enough to point out that no system should be considered safe.
Even if you encrypt your data, you are only part of the way there. In its "2012 Data Protection & Breach Readiness Guide," the Online Trust Alliance (OTA) notes that data and disk encryption is just one of 12 security best-practices. But why isn't encryption by itself enough?
Unfortunately, encryption is not enough because of the number and variety of attack vectors that are launched against your network every day. According to Verizon’s "2012 Data Breach Investigations Report," the vast majority of all breaches in 2011 were engineered through online attacks in the form of hacking, malware, or use of social engineering attacks -- an approach where human interaction, rather than software, is used as the attack vector.
Let's look at the list of “Security Best-Practices” provided by the OTA (first column of the table below) with my added comments and thoughts as to the purpose behind the recommendation (second column). Please note, I am in no way affiliated with the Online Trust Alliance, and I had no input into the report cited.
Table 1: Security Best-Practices & Commentary
Recommendation
Purpose / Comments
1. Use of Secure Socket Layer (SSL) for all data forms
Limits network snooping – CAUTION: Because of known hacks to SSL, only TLS v 1.1 and 1.2 should be used.
2. Extended Validation of SSL certificates for all commerce and banking applications
This is a consumer protection recommendation. It does nothing for securing data.
3. Data and Disk Encryption
Limits data access.
Disk Encryption, depending on its implementation, is either a software key or a hardware key that can encrypt the volume and/or the Master Boot Record (MBR).
Data encryption, depending on implementation, can encrypt fields within a table or entire tables. The encryption can be symmetric or asymmetric. It prevents access to the information in the tables.
4. Multilayered firewall protection
Limits cross tier network access.
5. Encryption of wireless routers
Limits network entry points by blocking unauthorized wireless access.
6. Default disabling of shared folders
Limits network entry points by removing common shares and their associated, known passwords.
7. Security risks of password re-set and identity verification security questions
Limits unauthorized password resets or unintentional leaks of password information.
8. Upgrading browsers with integrated phishing and malware protection
Limits an attack vector.
9. Email authentication to help detect malicious and deceptive email
Limits an attack vector.
10. Automatic patch management for operating systems, applications and add-ons
Reduces zero-day exploits or malware delivered as a software patch.
11. Inventory system access credentials
Limits loss of network access.
12. Remote wiping of mobile devices
Limits loss of data from stolen/lost/known compromised mobile devices.
Source: Online Trust Alliance and Hendry Betts III
In the Purpose/Comments column above, I used the verb “limits” intentionally because nothing completely prevents users from responding to social engineering, phishing attacks via email or Web sites, or malicious downloads. User education is, in my opinion, the best tool to limit the impact of these types of attacks.
Both my personal experience and the best-practices outlined in the OTA report show that there is no single silver bullet for data protection. The best-practices to protect your company's data engage the network, the data, and the users themselves. And, ultimately, I think the absolute best-practice is to expect a breach, actively monitor your networks, and educate the users.
MPK : = "What is suggested is the same that's been suggested for years. And it's obviously not working. "
hmmmmm
This morning's Suggested Reading is on Secure Business Intelligence and deals with the Blackhole Virus Kit
There is so much good stuff on this thread this morning I'm going to just add a little of my own rather than trying to answer individual items -- of which there are so many really good ones!
as I see it, part of our problem is one of perception. If you see your computer like this:
then you may try to defend the entire perimeter : (light blue ) . this is not feasible because your application programs: web browser, spreadsheet, e/mail, &c -- are constantly taking in new data files -- which may -- and often do -- contain executable scripts, such as Java, Visual Basic, .php ,,, &c
as soon as you read an infected file: you are sunk.
you should view your computer more as follows:
The above depicts a system that is "sandboxed": each application runs in its own "sandbox" and does not have general access to the whole machine. if it wants to update anything it has to ask the O/S to do that. The reader should remember that this security is built into the x86 chip architiceture and has been there since 80386
most attacks will attempt to "drop" malware on you; i.e. they will attempt to install some un-authorized programming on your computer. This is where User Account Control (UAC) comes into play: UAC will ask you if you want to allow an update. You could then use an anti-virus product to "vet", i.e. check the known reputation of -- whatever it is you want to install.
and this will help
Remember though: while "sandboxing" was part of the original IBM System/360 (1965) RACF was added in 1974. RACF was used to answer the key question: should we allow User "X" access to resource "Y"
In Advanced Windows environments today one would consider "AppLocker". Applocker will allow the system administrator to decide what programming is authorized. This is a "whitelist" approach.
Good thread. The added key is: Do not allow un-authorized programming. For this you must take control of the list of authorized programming. Only after you have control over the programming in the machine does encryption and authentication come into play.
I get what you are saying -- from an end-user perspective. However, my article was addressing Data Security from a corporate perspective. A corporate website should, in my opinion, not have 3d party companies serving up ads. If they want a clickstream revenue then perhaps they should create their own interface into the data stream -- something I know can easily be done. From a corporate computer perspective -- use DNS to block ad-sites and that filters out the problem of sites like Yahoo having their adstream hijacked. And while there was mention of browsers in the best practices -- the majority of the information was built around what a company would need to do to keep its internal data safe from malicious loss.
I have no doubt that these exploits exist. However, I have been lucky enough (in the last 22 years) to not get infected because I don't click on links that have a different or suspicious URL in the status line. I don't show images in my spam box, and I'm exceedingly careful about what my family downloads (and they are not IT professionals). I also keep my antivirus updated on a daily basis (and I pay them to be up to date). So while I do not doubt what you are saying, from a corporate perpective, these thing can be avoided and mitigated if the business takes the business of IT seriously and intends to educate rather than blame its employees.
Hendry, I like this post. Plenty of information, and a good reminder of just how much most of us are letting slide. But this is like the auto industry -- the car builder can tighten every nut but the one behind the wheel. Fortunately, training people to be wary of social engineering may be one of the easier tasks. Being nice and wanting to help is good, but teaching people to stop a second and wonder who we're helping to do exactly what can be easily inculcated. And it works. Perfect example: last week in my wife's company, a person called her boss to expedite access to some data, claiming to be from the company's "fraud" department. When the boss mentioned this to her, her first response was, "Oh, HELL no!" Her second response was to IM a contact in the Data Security department, who contacted the party to ask what was really required. Access was then granted only to the specific file needed. Helpful, courteous, and quick response to the request, without exposing any additional data. Educating users is as important as any firewall, and it makes them better, more valuable employees (and better human beings, too). Or, we could scrap all that, and just have them sign the Corporate Loyalty Oath. That'll work, right?
You cannot educate people about the unknown. Some major "outside the box" advancement will be required to solve this if it's even possible. Security has been playing catch up as long as we've been around.
That might be true but it doesn't change the fact that an educated user base is still better than an uneducated one. What exactly are you trying to promote?
The point of the article is to realize that relying on a single sytem to protect data is not enough. No matter what the next step in security is, the users need to be on board either to support its implementation, practices, or continued development.
That's only going to happen if users are aware of how big the threat is and that's part of education.
I've been in IT for 35 years -- been writing about IT security for 15. Right now the fastest-growing ploy of bad guys is to subvert websites or ad networks displayed on websites.
Visitors do not have to do anything other than accidently hover their mouse over an ad or a small pixel image and the malcode is installed. Keeping their computer up-to-date and abiding by all best practices does not help when this happens, because it is a zero-day malware -- there are no updates or patches. I have more examples if you wish.
I'd prefer to have a more seasoned I.T. security professional jump in here, but a lack of education is what gets the majority of the computers infected in the first place.
Users clicking dangerous links, users falling for phishing scehemes, users not installing security software on their home machines so they don't wind up part of a botnet, users using really weak passwords, CEO users not valuing security so their companies are breeched... all comes back to education.
Michael P. Kassner: You didn't specifiy on what you said "wasn't working" but your first post on the subject was "I submit that what you ask to happen -- particularly with social engineering -- will require a change in human nature.". Thus it sounded like you were saying that education wasn't working.
Now it sounds like you're trying to support your argument by submitting that education can't help against zero-day malware, but that doesn't have too much to do with social engineering which seemed to be the focus of the first comment.
Still, education can help thwart even zero-day malware by ensuring best practices are followed and one breech doesn't mean total data exposure (depending on circumstances), and ensuring users can identify suspicious activity and its threat. Education can also minimize exposure to malware in the first place.
Education is the core of any security because if the users don't play along the security isn't going to happen. So yes, educated users help minimize the damage of zero-day malware in comparison to what would happen in a situation with uneducated users.
Yes. You can hire bodies to sit and watch log files (in Unix tail -f) Are they up to what tools can do? No. Automation allows for fewer people to consume and analyze more data and keeping costs down (TCO) is really what business and IT are all about [when the business is not IT itself].
For larger companies where the threat of data compromise is presumed to be real, the manual processes have already led to the use of tools that automate some of the network monitoring.
But for small and medium companies, that may not understand the threat or the cost to the company (both real and in reputation), I don't think they should just go out and purchase a tool without understanding what it does and having the right staff to make best use of the tool. This idea of tool usage represents a fine balancing act.
Many executives have been sold on a tool and its capability at a show. They purchase the tool but don't have the in-house knowledge to implement it. And so they are stuck with a software albatross that does nothing. Their choice -- throw it away (and eat the loss) or educate the IT team (or even develop an IT team) and then actually make use of the tool they purchased. I've seen both done.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Has China stolen a march on the West, developing an Internet architecture that is not only based on IPv6, but is also inherently secure from both internal and external attack?
Recently, the Obama administration has been of two minds where privacy rights are concerned. On one hand, you have an administration that vowed to veto CISPA and mandated open data for government websites. On the other hand, you have an increasingly out-of-control Department of Justice on a fishing expedition at AP and demanding legislation to let the FBI wiretap private, encrypted communications and levy fines if a company fails to comply.
The apartment and house sharing service, Airbnb, now requires members to verify their identities by demonstrating a presence on the web, and by either scanning a government ID or entering detailed personal details. Other enterprises should take a close look at Airbnb's verification policies.
Facebook advertising is a lightning rod. It seems neither brands nor consumers are 100 percent happy about the social media site's policies, placement, or procedures. But the real controversy about Facebook ads and promotions is over whether they work.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Subsidized handsets, rather than locked handsets, should be the focus of regulators. We're not getting good deals, not fostering innovation, and weakening our power as buyers.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
