Data breach planning and prevention tips

Losing data can be tremendously devastating to a company. It could compromise security, information, and jobs. Today, I will look at twelve actions that a company can take to mitigate the risks of a data breach. These twelve steps, performing a risk analysis, asset identification and classification, attention to detail, encryption, social networking, compliance, management of personnel, least privilege, solution diversity, tracking mobile devices, data destruction and testing are essential to helping a companyÔÇÖs security program.

1)  Perform a risk analysis

The first step in combating the dangers of data breaches is performing a risk analysis.

The risk analysis will determine the threats to organizational data and assets and the likelihood of those threats occurring.  With this information the organization can create a policy or policies that respond to the results of a risk analysis. These policies should outline the dangers that the IT department could be facing.  In addition, security policies often contain protocols and measures taken in order to prevent an attack and should be revised often.  Businesses are not static, technology is certainly not static, and neither are the risks associated with data breaches.

2)  Asset identification and classification

A key part of protecting the data is having accurate and up-to-date information on data including its location, sensitivity and value.   The security team should take all of the information available and categorize it.  When you have a breach, how do you know what was exposed without asset information?

Imagine a user has a synchronization program that copies their laptop files to a directory on their home network.   Could their laptop contain sensitive files that might end up on their insecure network?  Even encrypted files would be unencrypted when transferred to another computer in this scenario.   This example illustrates that without an understanding of your information,  it becomes harder to safeguard it.

3)  Attention to detail

Taking the time to pay attention to the small details like an inexpensive flash drive may sound trivial, but it is not. ┬áFlash drives may be simple and cheap to replace, but the information stored upon them is invaluable to companies.┬á These devices could store data files containing company secrets or other information that could compromise a companyÔÇÖs well-being.

4)  Encryption

Leaving a device or individual pieces of unencrypted data is asking for a breach.  By encrypting a document or other form of data, the security team can ensure only people who have the proper clearance can access that file.  However, software is not the only medium that should be encrypted.  Laptops and other devices should have this level of protection and password-encryption as well.  This level of protection is required in order to guard the data stored on the device during transfer in the event of theft or loss.

5)  Social networking

Putting a section on social networking within the security policy may seem frivolous.  However, with the pervasiveness of websites like Facebook and Twitter, this segment of popular culture can no longer be ignored.  People post on Facebook hundreds of times a day and tweet their followers an equal amount.  The reality is that this market is growing and companies should utilize it in full.  Companies should also educate employees about the potential pitfalls of sharing too much information on these networking sites and other places like blogs, webcasts, etc.

6)  Comply with regulations and standards

Regulations protect companies, data and individuals by specifying security controls.  Compliance with standards and regulations will give a company a well thought out set of security controls.  However, this will most likely not be all the controls necessary to protect organizational data because each company is different and has differing needs.   HIPAA for example, protects PHI (Personal Health Information) but it does not protect trade secrets so the organization will need to do more before they can call themselves secure.  PCI-DSS is focused on credit card equipment, surrounding systems, and those that store or transmit credit card information but it would not be concerned with other systems.  Nonetheless,  even with the caveat, regulations and standards can bring you part of the way.

In addition to compliance, a company should frequently audit systems and procedures and implement recommended updates to make sure that it remains compliant.  Therefore, certain checks and provisions need to be included in security policies that maintain and develop a process that keeps records up to date.

7)  Manage Personnel

Breaches are mainly thought of coming from outside intruders, whereas the truth of the matter is that the greater threat comes within the organization.  Security departments often become so entrenched against outside attacks that they forget about what happens within.  This oversight should be addressed.  Employees should be treated with cordial skepticism and controls should be in place to restrict insider access and audit access.

8)  Least privilege

Minimizing data breaches means minimizing the number of people who have access to a particular piece of information.  This step goes hand in hand with management of personnel.  Allowing everyone access to everything or permissions greater than what they need is not only impractical, it is dangerous.  This scenario allows not only for disclosure of data to those who should not see it but it also allows for malicious or unintentional modification, deletion, or distribution of data.  Therefore, having a clearance system in place that filters access based on level of importance and need to know is necessary.

9)  Solution Diversity

Utilizing different levels and types of technologies provides the maximum amount of protection against malignant attacks.  Step away from just using one firewall and instead use multiple firewalls from different vendors.  For example, you could use a Cisco firewall with an additional checkpoint behind it.  Protection should begin at the network and trickle down the line until it gets to the host.  Anti-virus software, as well as, Network Access Control (NAC) should be utilized in the protection of data.  NAC allows companies to track what devices access their server, and where the device is located and to apply policies based on the state of the device such as whether or not it has up-to-date antivirus definitions.

10)  Track mobile devices

The risk to companies grows greater with the adoption of smartphones, tablets, and other personal data devices.  While these devices make checking Facebook a breeze they also can be hacked, stolen, or lost.  These potential pitfalls can wreak havoc on a company.  Therefore, a policy should be put into place outlining expected actions and reasonable security controls needed to reduce the risk of mobile data loss.   Some companies opt to have employees carry a work device, in addition to a personal device in order to keep data separate and easier to track.  Other options include a mandatory memory wipe or the installation of software that allows the company to remotely wipe the device if necessary.

11)  Destroy old documents, data, and hardware

In order to limit the risk of a breach, limit the documents and data available.  Company data and other documents run their due course and after they have outlived their usefulness they should be discarded.  However, the destruction of the material and the hardware on which these items are stored should be monitored and regulated within the data destruction policy so that a consistent and effective procedure for removing data is applied.

12)  Test the system

One of the final steps, and one that should be repeated often, is the testing of the system.  An independent, third party auditor should be hired for the sole purpose of testing the system.  These tests should be geared towards sniffing out flaws in the system.  The flaws should then be addressed and the risk policies updated.

Practice performing a risk analysis, asset identification and classification, attention to detail, encryption, social networking, compliance, management of personnel, least privilege, solution diversity, tracking mobile devices, data destruction and testing.  These twelve tips and steps are the necessities when it comes to preventing data breaches.  There are, however, many other different methods and approaches a company can take.  These approaches are outlined in my further reading.

Further reading:

http://www.campussafetymagazine.com/Channel/Security-Technology/Articles/2008/07/Data-Breach-Prevention-13-Best-Practices-You-Should-Implement.aspx

http://www.govinfosecurity.com/articles.php?art_id=3405&opg=1

http://www.eweek.com/c/a/Security/Data-Breach-Prevention-10-Tips-for-Fortifying-Network-Security-306197/

http://blog.absolute.com/7-steps-in-data-breach-prevention/

 

Essential tools of the security trade: DLP and SIEM

Data Loss Prevention (DLP) can greatly help organizations understand and control the data that is used, stored and transmitted and it is seeing increasing use in PCI-DSS compliance.  Another technology, Security Information and Event Management (SIEM), collects and analyzes data in real time from multiple sources including server logs, network devices, firewalls and intrusion detection systems.  In this article, I will enumerate how the combination of SIEM and DLP can improve the security and compliance of a corporation.  Taken together SIEM and DLP can work so that data flow within a corporation is transparent, therefore, affording more control to the corporation and less ability to misuse that information.

What are DLP and SIEM

As stated earlier, DLP is a conscious effort to prevent the loss of data due to undesirable individuals, groups, or circumstances.  DLP systems figure out which pieces of information are more important than others, therefore, creating a prioritized list.  DLP is a comprehensive set of methodologies and technologies that can look at more information across departments, better than localized isolated searches.  SIEM is technology that can take and interpret information coming in from network security devices and server logs allowing greater visibility into the use, transmission and storage of data.  SIEM allows a company to consolidate security information from many different areas so that the organization can better understand and prioritize how it will protect its data.

Protecting the companyÔÇÖs data is a primary responsibility in information security.┬á With increased complexity and interoperability of systems, this task becomes much more difficult, especially on a localized basis.┬á With the help of DLP, the job of protecting information becomes much more clear.┬á Using SIEM in conjunction with DLP can further ease the job of the information security department in protecting organizational data, preventing breaches and in meeting regulatory requirements.

The correlation between real threats in real time and how and where the most sensitive pieces of information are stored and dealt with falls squarely within the realm of SIEM and DLP.  Furthermore, allowing a combination of DLP and SIEM, a company can see its security in one program, not several, thus making the process more efficient.  Efficiency is a key part of making a good business great.  This sentiment can be translated into the world of protecting documents.  SIEM can be tuned to focus on where the data is found, thus helping the DLP team protect the information at the source, in transit, and at its destination.  Also, SIEM can refine the way that DLP identifies sensitive information, alerts DLP to new resources, and new threats to organizational information.

Combining these two methods of protection, DLP and SIEM, can give the organization more insight on where additional security controls should be placed and it allows for faster incident response.  This allows for a more effective strategy against potential threats.  DLP can prevent malicious or accidental users from abusing the system by only allowing authorized access into certain accounts, as well as, informing the company when these documents have been retrieved.  Simultaneously, SIEM is working to sharpen controls by monitoring the retrieval of the information ,thus making the retrieval alerts as streamlined, efficient, and quick as possible.  These two devices provide what information security offices need, visibility and control.

 

Examples

Internal Threats

Companies sometimes have information but cannot act on it because it is buried in a server log or a database.  For example, in 2008 Verizon Business had breach information on 82% of cases but they were unable to use this information.  DLP and SIEM could have enabled Verizon to better understand and prevent these breaches.

The reality of the world is employees often change positions.  Without proper employee termination procedures and security controls, terminated employees could transfer customer documents or steal intellectual property and other sensitive information.  The use of DLP and SIEM provides real time information in data access and can flag inappropriate or out of the norm activity.  This is something I have dealt with many times in my forensic work and I help companies protect against it in my information security consulting practice.

External Threats

Take a company that deals with the regular transfer of credit card information and is Payment Card Industry (PCI) Data Security Standard (PCI DSS) compliant.  PCI-DSS compliance can help protect the organization and mitigate a variety of attacks but DLP and SIEM can give the organization knowledge on where attacks might be focused.  Fingerprinting and other prerequisite external threats can herald the onset of a larger attack and DLP and SIEM would highlight these prerequisites so that the organization could respond and protect itself and its data.

 

DLP and SIEM in a distributed mobile world

DLP and SIEM are especially valuable to organizations that are increasingly mobile.  More and more workers access corporate data from mobile devices or machines connected to a VPN.  Protecting information was already difficult when it was limited to one network and a few select locations.  However, that time is well in the past.  New facets of modern employment widen the gap that information security needs to cover.  With the help of DLP, threats can be prioritized according to importance and with SIEM the data transfer and storage will be transparent, easing the burden on the information technology and security department in protecting a larger set of assets.

The use of DLP and SIEM can greatly enhance the capabilities of information security departments.  SIEM allows a company to make the access, transfer, and reception of data within the company more apparent and can further improve DLP initiatives in protecting and controlling data within the organization.  The advantage of using both DLP and SIEM within an individual company streamlines the process of protecting vital information and makes the company more efficient.  For more information on DLP, see my previous article.

 

For more information

Gartner Report: Critical Capabilities for SIEM

DLP opportunities seen in compliance push

 

Securing the iPads in your company

“Thinner. Lighter. Faster. Facetime. ” That is the catchphrase from the Apple page dedicated to the iPad. While Apple is known for its pithy titles for their amazing products, there is one thing that is oft ignored, but always important, and that is security. More and more people are adopting the iPad and some are using it to access business data but how can they do that securely? This article outlines the risk of using the iPad in the enterprise and some dos and don’ts for iPad security.

Consider this office scenario surrounding the iPad. The iPad 2 is just released and an executive is interested in one. Soon, with the help of a few tech savvy people in the office, he is connecting to the corporate network and accessing company data and systems. The thought of security never entered his mind. What can be done to protect this company from data loss?

While an iPad may provide a bump in productivity it also provides another portal for hackers and thieves. The problems range from a lack of uniformity in software to protect from hacking (see my LulzSec series) to general nonchalant behavior among employees about the protection of their iPads.

One of the major pitfalls of the iPad is the relative dearth of protective apps in Apple’s otherwise immense app store. Also, those apps that are available for protecting an iPad are not uniform. Apple does scrutinize apps that appear in the app store, but their net is not without holes, and an app that has malicious intent may slip through the cracks. See my article on malicious apps titled┬á”does one bad app spoil the bunch?”

Even if there was uniformity within applications concerning security, there is not uniformity between users. Much of this has to do with the perception of the device. If users were to treat their iPads less like a magazine or a newspaper and more like a company computer, the need for more than the out-of-the-box security would be clear. Here are some simple dos and don’ts that users and administrators should be aware of that can increase the security of the iPad.

Dos

  1. Locking the device. The iPad can be configured to lock the screen at a predefined interval similar to the screensaver setting on a computer. When the device is locked a password is needed to unlock the device. The iPad can also be configured to delete all data if an incorrect password is entered too many times.
  2. Encryption. iPad data can be encrypted however the encryption used on the iPad is currently vulnerable to some attacks. Still, an encrypted iPad is better than an unencrypted one and I await patches from Apple to resolve the vulnerabilities.
  3. Virtual Private Network. Use a VPN when connecting to a corporate network. The iPad ships with Cisco VPN software so that a secure tunnel can be created for connecting to another network. The VPN works with common IPSec, PPTP, and L2TP VPNs.

Don’ts

  1. Jailbreaking. Some users desire features that are not included in the official iPad operating system so they go through a process called “jailbreaking” where a new operating system is loaded onto the device or the operating system is modified so that these features become available. In the process of jailbreaking the device, however, many new security holes can be created and it is difficult to update the device when newer versions or patches are released. Newer versions and patches often correct recently discovered vulnerabilities so those that have been jailbroken will be susceptible to these vulnerabilities.
  2. Sharing. The iPad is a single user device. It does not have the capability of letting multiple users log onto it so if the device is shared with someone else all the data will be available to them. If possible, do not share an iPad that is used for work purposes with others.

As the popularity of the iPad continues to increase more and more companies will be faced with the struggle to secure the data users access via iPads. Executives and employees need to think outside of just the productivity and the coolness appeal of the iPad and look at the security concerns of the device. The tips here can help. Consider educating your employees on iPad security best practices.
For more information

How Secure Is iPad? 

iPad security for the enterprise still subject to debate 

iPhone and iPad Security: 4 Tips to Stay Safe 

Ten Tips to Enhance iPad Security

Security awareness for mobile apps

Smartphones are replacing traditional phones. These handheld devices offer users more than just the ability to make calls; smartphones such as the iPhone, Google Android, or Blackberry let owners browse the Internet, check email, and run applications. In many ways, the modern smartphone is a merger of the computer and the phone into one small pocket sized device delivering information to you anytime, anywhere. But what else is your smartphone up to? With all its similarities to the PC, smartphones also share one of the PCs less desired attributesmalware.

All three vendors, Google, Apple, and RIM maintain a directory of applications, or apps, allowing developers to publish applications to a directory for downloading. Some of those applications contained malicious code allowing phones to be converted into ÔÇ£zombiesÔÇØ for launching attacks or giving attackers access to data on smartphones such as contacts, emails, attachments, browsing history, or passwords. Some applications made calls to 900 numbers or premium texting services that you could be billed for. Both Google and Apple have identified and removed malicious apps from their directory and Google has implemented measures to remotely remove malicious apps from usersÔÇÖ phones. However, even this fact is disturbing because it demonstrates that Google has backdoor access to the Android phone. This system that today is used to remove malware, could one day be used to deploy it.

So you may be asking what you can do to protect yourself from smartphone malware. Here are some recommendations. First, download apps from trusted sites. The best controlled sites are those operated by Google, Apple, and RIM. These apps are reviewed prior to being added to their directory. It should be noted that Apple and RIM have a more stringent review process for apps published to their directory so Google Android users may have a little more difficulty finding malware free applications when using the directory. Directories are still not completely safe so users will need to exercise caution when downloading apps.

Second, you should be aware of the correct name of an application. If someone tells you to get the Facebook app, make sure you get the official application rather than Facebook Notifier or Facebook Express or some other variation. Next, make sure the spelling of the application is correct. Malicious apps masquerade as legitimate apps with a similar name. If you misspell Facebook as Facebok, an application may be available with that name but it is probably that the application in the form of malware.

Third, do not hack your phone or operating system. Many users are tempted to hack their phone by applying unauthorized firmware versions or making software modifications so that their phones will perform actions not intended by the manufacturer. Such modifications can disable vital security features of the device allowing malware to infect the machine or applications to perform unwanted actions on your phone.

Lastly, consider using anti-malware applications on your phone if you run lots of apps. iPhone users may have difficulty locating an anti-malware app for the iPhone because the iPhone OS does not allow applications to run in the background. Apple claims anti-malware applications are not needed in their operating system because of this and because all applications run in a sandbox where they are prohibited from interacting with other apps or with the system directly. However, similar techniques have been used with standard computer operating systems and such techniques have been circumvented.

To sum it up and answer the question posed at the beginning, ÔÇ£does one bad app spoil the bunch?ÔÇØ, use your smartphone with caution. Download only the apps you need and download them from a trusted source. If you utilize many applications, consider anti-malware software for your phone and do not hack your smartphone because doing so may disable security features of the phone. The threat of malicious apps on smartphones is real but you can go a long way in protecting yourself by following these guidelines.

For more information

Google purges tainted apps from Android phones

5 ways to protect your Android phone from malware

Antivirus for Smartphones?