Preventing Data Breaches: Back to the Basics

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lbmcsecurityservices.com/preventing-data-breaches-back-to-the-basics/

While reading about recent data breaches, one thing comes to mind: Remember
the Basics.  Yes, there are evil hackers who want your data and APT’s are
difficult to detect, but the majority of reported breaches can be prevented
or their damage limited by some basic controls.

- Encrypt your systems, especially laptops
- Change the password culture at your organization, change passwords often,
and do not share
- Review the logs

Encrypt all systems that move

This first point is seen time and again in the breach reports.  XYZ
organization has been breached because a laptop was stolen either from the
premises or an employee removed it from the premises and it was stolen.
 While not foolproof, full disk encryption will help limit the thief’s
ability to access any data on the system.  To address some of the early
criticisms, full disk encryption has become more stable and less expensive
to implement.

Password Security

Passwords are like toothbrushes and underwear; you don’t share them and you
should change them often.  It is a crude analogy, but it is true.  Multiple
breaches have been reported to be due to unauthorized people using the
credentials of those who were authorized to access records.  Sometimes the
unauthorized individuals are accessing records for months before they are
discovered.  First, ensure your organization has a culture that prevents
the sharing of passwords, with anyone, ever, not even an administrator.
 Often times a technician will ask for a password to make his/her work
easier, but this should never be acceptable and employees should be aware
that they can tell the technician no without fear of retribution.  That
said, there are environments where the need to protect passwords is weighed
against the needs of the business, such as healthcare.  In those
situations, the business should weigh the cost of a breach versus the cost
to implement other technologies for authentication.  Usernames and
passwords take time to log in, but proximity badges with a short pin are
multi-factor and may be faster for a nurse or doctor to use without slowing
patient care.

Review the logs

Computer systems produce mountains of data, so what do you look for? First,
start with your most valuable assets.  Looking for data leaving the network
may be difficult for a small business, so start with what is valuable and
stay close to the source.  Recent breach reports indicate what appears to
be an uptick in organizations self-detecting unauthorized access, instead
of outside third parties informing the affected.  How is this done? By
reviewing logs.  An example of such a review may be a regular review of who
accesses which records at a medical facility to verify that access complies
with each individual’s shifts and assigned patients.  If there is a worry
about data exfiltration, the best option may be to hire a third  party to
monitor network traffic as it enters and leaves the network.  Log
monitoring can be like drinking from a fire hose; turning it all at once
will just be overwhelming and there will be little to no value.  Instead,
start small, define the most valuable assets and determine what should be
reviewed and how often.  Then grow from there, bringing in outside
resources if necessary.  If you already do these things, seek to increase
the frequency.  Catching issues weekly is better than monthly, and monthly
is better than every 6 months.

In short, by learning from current breaches, an organization can see how
certain common actions can be more valuable than the major technical
solutions.

- Encrypt your portable systems. Windows Bitlocker (included with most
current versions of Windows) is better than nothing.
- Make sure your organization has a culture that keeps passwords secure. If
the business will not allow it, look into other mechanisms for
authentication.
- Review computer logs. Start with your most valuable systems and data and
grow from there.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.