I spend a lot of time detailing the failings of the Information Technology Industry including to today's entry on potential problems at the TSA and not nearly enough discussing how to avoid falling into the Breach so to speak. Thanks to eWeek for giving me a chance to hop on their bandwagon by posting their 7 ways to avoid being the data breach. So please take the time and read eWeek - How to Avoid the Next Data Breach:
1. Have a viable, up-to-date security policy: Make sure your security policy takes into account what data assets need protecting, the threat landscape and the potential consequences of a breach. Have procedures in place for quick response so that if the worst happens, the organization can react rapidly and minimize damage. Too many companies have policies that address yesterday's threats, or ones that are up to date but are hidden from the employees who should know them by heart. Communicate your policy to employees, and revise it periodically.2008 will be year that either the industry and government really get serious about solving this growing problem or the data breaches will become so bad that the public will force their action on the problem. It pays to be proactive and take eWeek's seven suggestions to heart. Sphere: Related Content2. Know your sensitive data and safeguard it: Determine where your sensitive data assets are – by "sensitive", we mean data that if stolen or exposed would cause serious damage to the business, its employees, shareholders, customers or partners. Control access to this data, preventing unauthorized copying, printing and backups. When reading about lost laptops with sensitive data (encrypted or not), one often wonders what such data was doing on a laptop in the first place – start there.
3. Apply the least privilege principle: Give users and applications the minimum required access, especially as regards sensitive data. Do not grant privileges based on future needs but current ones, and regularly review existing privileges and revoke the ones that are no longer required. In today's enterprise, with so many consultants, outsourced developers and partners gaining access to internal systems, it is easy to disregard just how many external elements have access to systems for which they no longer need it.
4. Encrypt data in motion: Choose the right solution for your environment, using strong encryption standards and algorithms, coupled with authentication and key exchange mechanisms that make sense. There are no "one size fits all", and a heterogeneous environment may require the use of various standards including IPSec, WPA2, SSL and SSH. TJX, for example, used weak encryption (WEP) on its point-of-sale WiFi devices, giving criminals the opening through which they began stealing credit card numbers.
5. Encrypt data at rest: When done right, this ensures that only those who need to see sensitive data see it. However, it is important to choose the right kind of encryption and do it judiciously, covering only sensitive data. Key management is crucial, because if encryption keys are distributed to too many users, applications and devices, it will render itself useless in terms of security.
6. Monitor database activity: Nowhere would you find more useful sensitive data than in enterprise databases, yet most enterprises have zero visibility into who is doing what in the database. Real-time monitoring and auditing gives you the ability to enforce usage policy and provides an additional and necessary layer of security in the place most likely to be the source of a major breach. Apply automatic prevention where appropriate (e.g., obvious SQL injection attacks). The hackers that pilfered almost 100 million credit card records from TJX could not have done so without unfettered access to the database – monitoring would have certainly caught this early on. It is not for naught that database activity monitoring is considered a premier "compensating control" in PCI DSS, being a viable alternative to encryption.
7. Regularly check and harden configuration of components: Use automated tools to find bad configurations, weak passwords and vendor defaults in databases, application servers, routers and other devices. For example, a certain system has a default privileged user account that comes with the password "change_on_install", which of course needs to be changed after installation but sometimes is not. A surprising number of breaches are due to weak passwords – those are practically "X marks the spot" signs for potential intruders.
0 comments:
Post a Comment