BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Data Security Is A 'Lifecycle' Commitment

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 3 Mar 2015 18:57:28 -0700
http://www.forbes.com/sites/teradata/2015/03/03/data-security-is-a-lifecycle-commitment/

Data security is one of those mission-critical issues people are always
talking about and building solutions and policies around. But, even when we
focus on the right problems, too many businesses are doing so at the wrong
time – namely, after a breach has happened.   Determined hackers have
proven again and again that they can violate just about any perimeter put
in front of them. Yet somehow, many companies still wait for a breach and
then use it as a catalyst for updating security designs and policies moving
forward. It’s a permanent response-mode that can be futile, frustrating and
costly.

Better information security requires that we think more proactively and
understand two basic realities:  1) The next breach is an inevitable “when,
not if” kind of occurrence that will happen sooner or later, and 2) Data
security is a lifecycle that involves steps you can and should take before,
during and after a breach.

Once we understand the need for continual work in the face of ongoing
danger, we start to see that there is no silver bullet, no single answer to
fully protecting data. And, the multi-faceted blend of technology and
processes that we do come up with needs to address the inevitable nature of
the threat. There are many ways to go about it. One successful approach
I’ve used is to focus on three interrelated priorities.

Manage Access to the System

Yes, a breach will ultimately happen, but we still do as much as possible
to secure normal operations and ensure that only authorized users can
access designated parts of your systems. Look to incorporate robust IP
filters and password controls, along with external authentication and
authorization systems like Kerberos and software protocols like LDAP.  Use
fine-grained access rights and privileges for user authorization, and pay
special attention when managing credentials on client systems, or using
applications with connection pools.

Secure Sensitive Data

Limiting access to certain information once someone is in your system helps
govern your own users’ movements within your data architecture. But, it
becomes crucially important mid-breach when you’re trying to limit damage
in real-time from an intruder.  Good systems leverage strong network
traffic encryption along with options like row-level security, column-level
data encryption and tokenization, full disk encryption, and tape/disk
backup encryption.  By compartmentalizing access, you compartmentalize
damage.  The trick is to protect data while still keeping the system agile,
so compartmentalizing doesn’t turn into a silo experience for your trusted
users.

Actively Audit and Monitor

System administrators should implement strong security practices that
monitor data access and flag unusual patterns in the data.  This can be
crucially important when you are in the process of getting hacked and when
it’s over. You can find clues via the access controls you have in place to
protect the perimeter, but you can learn a lot more by also maintaining
comprehensive audit logs. Forensics like this may seem like extra work in
cases where the damage is already done, but understanding patterns of
breach behavior can offer crucial insights. Just remember that the only
thing worse than suffering a breach is suffering through the uncertainty
afterward when you don’t know who hacked you, how and what data they
accessed.

Whatever approach you take, make sure you deploy, operate and accredit your
systems to comply with rigorous security standards like the PCI Data
Security Standard and ISO 27000 standards.

By now you see it takes a lot of work, but a comprehensive and proactive
approach to security is the surest way to protect your data. Hackers are
agile and always vigilant; we should be too.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: