Ways to avoid a multi-million dollar security disaster

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazine.com/ways-to-avoid-a-multi-million-dollar-security-disaster/article/329238/

> From Adobe to Facebook, security breaches continue to be top-of-mind for
both companies and users, and organizations around the globe are all
wondering if they are next in line to deal with a breach of their own.
Hackers may always be a few steps ahead of companies when it comes to
cracking codes and stealing information, but as we dissect breach after
breach, it's clear that companies are not helping their security cause –
they are actually jeopardizing it in more ways than one. With a few simple
steps, companies can take back control of their infrastructure and assure
that their next breach is merely an inconvenience rather than a
multi-million dollar catastrophe.

Data collection

Why do companies need to know a user's mother's maiden name, the date their
father was born and their favorite color when they were in kindergarten?
Organizations that collect numerous forms of identifying information think
they are creating a more secure user experience when in fact they are
putting themselves at greater risk for security breaches. Users expect that
when answering those levels of questions that their data is going to remain
private; however because of the way the information is stored, they are at
greater risk of their online identities becoming compromised.

There are few solutions when considering the collection of data. For those
organizations that choose to continue asking for identifying information,
they should reduce the number of questions asked and turn to data
encryption to store the user's information. Please realize that data
encryption is a well understood science, as is the analysis of encryption
with the intent of breaking it. You cannot simply apply basic obfuscation
to your data, and expect it to be secure in the event of a real hacking
attempt. Instead organizations should use proven and reliable encryption
implementations and techniques, utilizing salt and other entropy to make it
more secure. When encrypting the data, organizations need to collect less
information to ensure that in the event that there is a security breach,
passwords will not be jeopardized and online identities will remain private.

Two-factor authentication

But, the truth of the matter is that storing passwords – even those that
are encrypted – is simply one step.  Although it can be a bit more
cumbersome, two-factor authentication is the approach that all companies
should consider when offering users the options of using their services
online. With an extra layer of security, two-factor authentication allows
for usernames and passwords to serve as the first point of entry, requiring
an additional secure code that has been sent to them via another device,
like a mobile phone, to complete their login. The drawback? It's another
step that users must take to access their information, and it may deter
them from wanting to leverage that site or application because of the extra
step. As more people experience the impact of data breaches and personal
online information being compromised, and the conversation about two-factor
authentication continues, organizations of all sizes will be forced to
implement this simple solution to prevent the theft of data and personal
identifying information during breaches.

The bigger issue

To truly understand the heart of the problem, organizations must take a
step back and evaluate the core of their IT infrastructure. Let's face it,
when it comes to developing and managing an IT infrastructure, the security
layer is the least glamorous.  Administrators and developers would prefer
to focus their time on the parts that get the most positive recognition and
attention. The security layer is likely only capturing someone's attention
when there is a problem, so it's not nearly as fun to work on as designing
and managing a homepage. But, as any company that has recently experienced
a security breach knows, even though security may not be the most glamorous
of jobs, it is certainly one of the most high profile and critical.

Outside of finding a crew of administrators and developers who have the
passion and knowledge to balance sexy with mission critical, it's important
to have a team that has complete visibility into the infrastructure. With
all of the breaches happening, it's easy to ask why companies aren't
implementing stricter policies for securing user data.  Honestly, many
companies aren't really aware of what is happening in their underlying
systems. As a result of utilizing off-the-shelf third party software,
companies don't truly understand what is happening within the depths of
their infrastructure. The good news? The fix is simple. Instead of
utilizing third-party software, companies can choose open source solutions.
Unlike the third-party solutions, open source products offer full
transparency, giving companies a clear picture of how the software is
interacting with other layers, allowing for administrators to identify
issues almost immediately.

Yes, hackers may always be one step ahead in the security race, but it's
important for organizations to take ownership – knowing that with a few
small adjustments to their security policies and management that they can
prevent the next breach from turning into a major catastrophe. From the
basics of spending adequate time and resources focusing on the security
level of your infrastructure and knowing what is happening at all layers,
to reducing liability by collecting limited information and encrypting
data, the steps needed to secure your infrastructure and protect your
customer, partners and employees' data are minimal compared to the
inevitable consequences.

If the keys to the front door are left under the mat, it does not matter
how secure the fort is! The same metaphor applies to protecting data and
identities. Security is everyone's responsibility.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.