Security breaches again made big news in 2014. Yet despite
years of headline stories about security leaks and distributed
denial-of-service (DDoS) attacks and repeated admonishments from
security professionals that businesses (and individuals) needed to do a
better job protecting sensitive data, many businesses are still
unprepared or not properly protected from a variety of security threats.
Indeed, according to Trustwave’s recent 2014 State of Risk Report,
which surveyed 476 IT professionals about security weaknesses, a
majority of businesses had no or only a partial system in place for
controlling and tracking sensitive data.
So,
what can companies do to better protect themselves and their
customers’, sensitive data from security threats? CIO.com queried dozens
of security and IT experts to find out. Following are the six most
likely sources, or causes, of security breaches and what businesses can,
and should, do to protect against them.
Risk No. 1: Disgruntled Employees
“Internal attacks are one of the biggest threats facing your data and systems,” states Cortney Thompson, CTO of Green House Data.
“Rogue employees, especially members of the IT team with knowledge of
and access to networks, data centers and admin accounts, can cause
serious damage,” he says. Indeed, “there [were] rumors that the Sony
hack was not [carried out by] North Korea but [was actually] an inside
job.
Solution:
“The first step in mitigating the risk of privileged account
exploitation is to identify all privileged accounts and credentials
[and] immediately terminate those that are no longer in use or are
connected to employees that are no longer at the company,” says Adam
Bosnian, executive vice president, CyberArk.
“Next,
closely monitor, control and manage privileged credentials to prevent
exploitation. Finally, companies should implement necessary protocols
and infrastructure to track, log and record privileged account activity
[and create alerts, to] allow for a quick response to malicious activity
and mitigate potential damage early in the attack cycle.”
Risk No. 2: Careless or Uninformed Employees
“A
careless worker who forgets [his] unlocked iPhone in a taxi is as
dangerous as a disgruntled user who maliciously leaks information to a
competitor,” says Ray Potter, CEO, SafeLogic.
Similarly, employees who are not trained in security best practices and
have weak passwords, visit unauthorized websites and/or click on links
in suspicious emails or open email attachments pose an enormous security
threat to their employers’ systems and data.
Solution: “Train employees on cyber security best practices and offer ongoing support,” says Bill Carey, vice presdient of Marketing for RoboForm.
“Some employees may not know how to protect themselves online, which
can put your business data at risk,” he explains. So it’s essential to
“hold training sessions to help employees learn how to manage passwords
and avoid hacking through criminal activity like phishing and keylogger
scams. Then provide ongoing support to make sure employees have the
resources they need.”
Also, “make sure employees use
strong passwords on all devices,” he adds. “Passwords are the first line
of defense, so make sure employees use passwords that have upper and
lowercase letters, numbers and symbols,” Carey explains.
“It’s
also important to use a separate password for each registered site and
to change it every 30 to 60 days,” he continues. “A password management
system can help by automating this process and eliminating the need for
staff to remember multiple passwords.”
Encryption is also essential.
“As
long as you have deployed validated encryption as part of your security
strategy, there is hope,” says Potter. “Even if the employee hasn’t
taken personal precautions to lock their phone, your IT department can
execute a selective wipe by revoking the decryption keys specifically
used for the company data.”
To be extra safe, “implement multifactor
authentication such as One Time Password (OTP), RFID, smart card,
fingerprint reader or retina scanning [to help ensure] that users are in
fact who you believe they are,” adds Rod Simmons, product group
manager, BeyondTrust. “This helps mitigate the risk of a breach should a password be compromised.”
Risk No. 3: Mobile Devices (BYOD)
“Data
theft is at high vulnerability when employees are using mobile devices
[particularly their own] to share data, access company information, or
neglect to change mobile passwords,” explains Jason Cook,CTO & vice
president of Security, BT Americas.
“According to a BT study, mobile security breaches have affected more
than two-thirds (68 percent) of global organizations in the last 12
months.”
Indeed, “as more enterprises embrace BYOD, they
face risk exposure from those devices on the corporate network (behind
the firewall, including via the VPN) in the event an app installs
malware or other Trojan software that can access the device's network
connection,” says Ari Weil, vice president, Product
Solution:
Make sure you have a carefully spelled out BYOD policy. “With a BYOD
policy in place, employees are better educated on device expectations
and companies can better monitor email and documents that are being
downloaded to company or employee-owned devices,” says Piero DePaoli,
senior director, Global Product Marketing, Symantec.
“Monitoring effectively will provide companies with visibility into
their mobile data loss risk, and will enable them to quickly pinpoint
exposures if mobile devices are lost or stolen.”
Similarly, companies should “implement mobile security
solutions that protect both corporate data and access to corporate
systems while also respecting user’s privacy through containerization,”
advises Nicko van Someren, CTO, Good Technology.
“By securely separating business applications and business data on
users’ devices, containerization ensures corporate content, credentials
and configurations stay encrypted and under IT’s control, adding a
strong layer of defense to once vulnerable a points of entry.”
You can also “mitigate BYOD risks with a hybrid cloud,” adds Matthew Dornquast, CEO and cofounder, Code42.
“As unsanctioned consumer apps and devices continue to creep into the
workplace, IT should look to hybrid and private clouds for mitigating
potential risks brought on by this workplace trend,” he says. “Both
options generally offer the capacity and elasticity of the public cloud
to manage the plethora of devices and data, but with added security and
privacy—such as the ability to keep encryption keys on-site no matter
where the data is stored—for managing apps and devices across the
enterprise.”
Risk No. 4: Cloud Applications
Solution:
“The best defense [against a cloud-based threat] is to defend at the
data level using strong encryption, such as AES 256-bit, recognized by
experts as the crypto gold standard and retain the keys exclusively to
prevent any third party from accessing the data even if it resides on a
public cloud,” says Pravin Kothari, founder and CEO of CipherCloud.
“As many of 2014’s breaches indicate, not enough companies are using
data level cloud encryption to protect sensitive information.”
Risk No. 5: Unpatched or Unpatchable Devices
“These are
network devices, such as routers, [servers] and printers that employ
software or firmware in their operation, yet either a patch for a
vulnerability in them was not yet created or sent, or their hardware was
not designed to enable them to be updated following the discovery of
vulnerabilities,” says Shlomi Boutnaru, cofounder & CTO, CyActive. “This leaves an exploitable device in your network, waiting for attackers to use it to gain access to your data.
A leading breach candidate: the soon-to-be unsupported Windows Server 2003.
“On July 14, 2015, Microsoft will no longer provide support for Windows Server 2003
– meaning organizations will no longer receive patches or security
updates for this software,” notes Laura Iwan, senior vice president of
Programs, Center for Internet Security.
With
over 10 million physical Windows 2003 servers still in use, and
millions more in virtual use, according to Forrester, “expect these
outdated servers to become a prime target for anyone interested in
penetrating the networks where these vulnerable servers reside,” she
says.
Solution: Institute a patch management program to ensure that devices, and software, are kept up to date at all times.
“Step
one is to deploy vulnerability management technology to look on your
network and see what is, and isn't, up to date,” says Greg Kushto,
director of the Security Practice at Force 3.
“The real key, however, is to have a policy in place where everyone
agrees that if a certain piece of equipment is not updated or patched
within a certain amount of time, it is taken offline.”
To
avoid potential problems re Windows Server 2003, “identify all Windows
Server 2003 instances; inventory all the software and functions of each
server; prioritize each system based on risk and criticality; and map
out a migration strategy and then execute it,” Iwan advises. And if you
are unable to execute all steps in house, hire someone certified to
assist you.
Risk No. 6: Third-party Service Providers
“As
technology becomes more specialized and complex, companies are relying
more on outsourcers and vendors to support and maintain systems,” notes
Matt Dircks, CEO, Bomgar.
“For example, restaurant franchisees often outsource the maintenance
and management of their point-of-sale (POS) systems to a third-party
service provider.”
However, “these third-parties typically use
remote access tools to connect to the company’s network, but don’t
always follow security best practices,” he says. “For example, they’ll
use the same default password to remotely connect to all of their
clients. If a hacker guesses that password, he immediately has a
foothold into all of those clients’ networks.”
Indeed, “many of
the high profile and extremely expensive breaches of the past year
(think Home Depot, Target, etc.) were due to contractor’s login
credentials being stolen,” states Matt Zanderigo, Product Marketing
Manager, ObserveIT.
“According to some recent reports, the majority of data breaches – 76
percent – are attributed to the exploitation of remote vendor access
channels,” he says. “Even contractors with no malicious intent could
potentially damage your systems or leave you open to attack.”
“This
threat is multiplied exponentially due to the lack of vetting done by
companies before allowing third parties to access their network,” adds
Adam Roth, cybersecurity specialist from Dynamic Solutions International.
“A potential data breach typically does not directly attack the most
valuable server, but is more a game of leap frog, going from a low level
computer that is less secure, then pivoting to other devices and
gaining privileges,” he explains.
“Companies do a fairly good job ensuring critical servers avoid
malware from the Internet,” he continues. “But most companies are
pretty horrible at keeping these systems segmented from other systems
that are much easier to compromise.”
Solution:
“Companies need to validate that any third party follows remote access
security best practices, such as enforcing multifactor authentication,
requiring unique credentials for each user, setting least-privilege
permissions and capturing a comprehensive audit trail of all remote
access activity,” says Dircks.
In particular, “disable third-party
accounts as soon as they are no longer needed; monitor failed login
attempts; and have a red flag alerting you to an attack sent right
away,” says Roth.
General Guidance on Dealing With Breaches
“Most
organizations now realize that a breach is not a matter of if but
when,” says Rob Sadowski, director of Technology Solutions for RSA.
To minimize the impact of a security breach and leak, conduct a risk
assessment to identify where your valuable data resides and what
controls or procedures are in place to protect it.
Then, “build
out a comprehensive incident response [and disaster recovery/business
continuity] plan, determining who will be involved, from IT, to legal,
to PR, to executive management, and test it.”
Written By:
Jennifer Lonoff Schiff is a business and technology
writer and a contributor to CIO.com. She also runs Schiff & Schiff
Communications, a marketing firm focused on helping organizations better
interact with their customers, employees and partners.
Source: cio.com
No comments:
Post a Comment