BreachExchange mailing list archives
Preventing Data Breaches: Back to the Basics
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 19 Dec 2013 22:03:10 -0700
http://www.lbmcsecurityservices.com/preventing-data-breaches-back-to-the-basics/ While reading about recent data breaches, one thing comes to mind: Remember the Basics. Yes, there are evil hackers who want your data and APT’s are difficult to detect, but the majority of reported breaches can be prevented or their damage limited by some basic controls. - Encrypt your systems, especially laptops - Change the password culture at your organization, change passwords often, and do not share - Review the logs Encrypt all systems that move This first point is seen time and again in the breach reports. XYZ organization has been breached because a laptop was stolen either from the premises or an employee removed it from the premises and it was stolen. While not foolproof, full disk encryption will help limit the thief’s ability to access any data on the system. To address some of the early criticisms, full disk encryption has become more stable and less expensive to implement. Password Security Passwords are like toothbrushes and underwear; you don’t share them and you should change them often. It is a crude analogy, but it is true. Multiple breaches have been reported to be due to unauthorized people using the credentials of those who were authorized to access records. Sometimes the unauthorized individuals are accessing records for months before they are discovered. First, ensure your organization has a culture that prevents the sharing of passwords, with anyone, ever, not even an administrator. Often times a technician will ask for a password to make his/her work easier, but this should never be acceptable and employees should be aware that they can tell the technician no without fear of retribution. That said, there are environments where the need to protect passwords is weighed against the needs of the business, such as healthcare. In those situations, the business should weigh the cost of a breach versus the cost to implement other technologies for authentication. Usernames and passwords take time to log in, but proximity badges with a short pin are multi-factor and may be faster for a nurse or doctor to use without slowing patient care. Review the logs Computer systems produce mountains of data, so what do you look for? First, start with your most valuable assets. Looking for data leaving the network may be difficult for a small business, so start with what is valuable and stay close to the source. Recent breach reports indicate what appears to be an uptick in organizations self-detecting unauthorized access, instead of outside third parties informing the affected. How is this done? By reviewing logs. An example of such a review may be a regular review of who accesses which records at a medical facility to verify that access complies with each individual’s shifts and assigned patients. If there is a worry about data exfiltration, the best option may be to hire a third party to monitor network traffic as it enters and leaves the network. Log monitoring can be like drinking from a fire hose; turning it all at once will just be overwhelming and there will be little to no value. Instead, start small, define the most valuable assets and determine what should be reviewed and how often. Then grow from there, bringing in outside resources if necessary. If you already do these things, seek to increase the frequency. Catching issues weekly is better than monthly, and monthly is better than every 6 months. In short, by learning from current breaches, an organization can see how certain common actions can be more valuable than the major technical solutions. - Encrypt your portable systems. Windows Bitlocker (included with most current versions of Windows) is better than nothing. - Make sure your organization has a culture that keeps passwords secure. If the business will not allow it, look into other mechanisms for authentication. - Review computer logs. Start with your most valuable systems and data and grow from there.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Preventing Data Breaches: Back to the Basics Audrey McNeil (Dec 20)