Six new year resolutions for IT security managers.So 2005 has gone down as the worst year for data security breaches. I suppose the good news is that we seemed to be less troubled by viruses, so either the virus developers have got bored, or our anti virus technology has got better, or maybe we're simply not aware of them--remember the incident earlier in the summer of 2005. The question is whether 2005 has been particularly bad for data breaches, or its the case that more organisations own up to indiscretions. After all the consequences for being found out are now a lot more serious than admitting to a problem. It seems like almost every month last year, some organisation or other was admitting to backup tapes See tape backup. being misplaced mis·place tr.v. mis·placed, mis·plac·ing, mis·plac·es 1. a. To put into a wrong place: misplace punctuation in a sentence. b. . They were either- falling of the back of Lorries, motorbikes, getting lost in warehouses, disappearing when entrusted to some courier service or other. In the UK, the Wand Revenue lost a computer disc, sent by the bank, which contained address and account details of the banks investors, and apparently they are still looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. the disc. In Japan, millions of credit card details were stolen. In fact the stories go on and on. The potential seriousness for your business was quantified by the department of Trade and Industry The Department of Trade and Industry was a United Kingdom government department which was disbanded with the announcement of the creation of the Department for Business, Enterprise and Regulatory Reform on 28 June 2007[1]. , which said that 70 percent of organisations that experience serious data loss go out of business within 18 months. So looking on the bright side, the UK may become a tax haven Tax Haven A country that offers individuals and businesses little or no tax liability. Notes: There are several countries in the Caribbean that are considered tax havens. during 2006! An organisation should never underestimate the potential damage in case of exposure or loss of confidential data. This is the reason why most businesses takes great care to ensure that the physical media is protected in physical safes with dual control procedures. And in some cases these physical security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security are even enforced by formal regulations. Securing data while it travels between applications, business partners, suppliers, customers, and other members of an extended enterprise is crucial. As enterprise networks continue to become increasingly accessible, so do the risks that information will be intercepted or altered in transmission. For example how many CEOs are aware that sensitive data within the organisation is visible to everyone from database administrators, developers, and system administrators? How many bank directors are aware that in many cases financial transaction files are sitting in clear text on application servers--a European bank recently fell foul during an external audit when it was discovered that payments being sent to and from a third party payment system where accessible to system administrators, and the bank had no means to control administrator access to the systems, and no way to verify if the file was manually adjusted. And the chances are that if its true of this bank, its very likely the case in others since they generally use similar systems. And not only are they not aware, they don't always understand the technical issues involved. Like my accountant and I when we meet--we have these brief conversations where I try to explain what I do, and vice versa VICE VERSA. On the contrary; on opposite sides. , and quite frankly neither of us has any understanding of the other's profession. Think about the company who is contracted to carry out research and development for many business partners--do management understand how confidential R&D data is shared with business partners? Or how about the financial company that processes payments for non face-to-face businesses including Internet, mail and telephone--does management know how payment files are delivered to and from merchants? The list is endless. Regulation means that companies have never been as vulnerable to the consequences of data breaches as they are today. The potential damages resulting from loss of reputation, business, and legal costs can be crippling crip·ple n. 1. A person or animal that is partially disabled or unable to use a limb or limbs: cannot race a horse that is a cripple. 2. A damaged or defective object or device. tr.v. too many businesses. Not only can it affect the day to day business, but it can also impact long-term M&A strategies. The days of dealing with data breaches 'in-house' are gone, and the consequences of being caught trying to do this are potentially worse than simply confessing. So what should you be doing? Well there are a number of steps to consider. And an excellent guideline guideline Medtalk A series of recommendations by a body of experts in a particular discipline. See Cancer screening guidelines, Cardiac profile guidelines, Gatekeeper guidelines, Harvard guidelines, Transfusion guidelines. to follow is the standard, developed by MasterCard and VISA and also being enforced by American Express American Express (NYSE: AXP), sometimes known as "AmEx" or "Amex", is a diversified global financial services company, headquartered in New York City. The company is best known for its credit card, charge card and traveler's cheque businesses. , and which is designed to protect cardholder card·hold·er n. One who holds a card, especially a credit card. card  hold information and must be implemented by members, merchants and service
providers. If you fall into any of these categories, and that will apply
to most, then this is important
1. Build and Maintain a Secure Network--Maybe an obvious comment, but it is important to understand what this means. You need to have a firewall configuration to protect data and not use vendor-supplied defaults for system passwords and other security parameters In cryptography, the security parameter is a variable that measures the input size of the problem. Both the resource requirements of the cryptographic algorithm or protocol as well as the adversary's probability of breaking security are expressed in terms of the security parameter. . In order for firewalls to be effective, all communication from untrusted networks or hosts must be blocked, preventing external sources from interfacing with internal ones. An interesting point to note here is that the requirement for the firewall is to 'protect data", not to secure the Perimeter. Far too often, administrators use the default passwords on systems as important as server and network devices for ease of use or simply because they forgot to change them. A list of these default passwords can easily be found on the Internet and are often how hackers access the network. To best meet this requirement, it all starts with a formal password control program that expands upon best-practice policies with technologies that enable companies to have the accessibility and security needed for administrative passwords. This type of program marries policies with controls, changes and audits, to ensure best practices. 2. Protect Data--In order to achieve this goal, it is necessary to ensure that data is protected when it is stored--and wherever it is stored, and that the data is encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science when being transmitted across public networks. Although most will probably employ some type of VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. technology for transmission, the secure storage is often overlooked. An effective solution will provide a comprehensive environment to securely store sensitive data, featuring strong firewall, strong authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. , session encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. , storage encryption, extensive auditing, access control, dual control and other security measures to ensure the security and confidentiality of data. Data at rest is frequently left sitting without any form of encryption attached to it. If an intruder An attacker that gains, or tries to gain, unauthorized access to a system. See attacker, intrusion and IDS. is able to hack past the firewall or walk off with a server, there is no protection for the data inside if it lays unencrypted. It is essential that the solution selected to meet this requirement features built-in encryption and key management mechanisms that ensure data is always secure, while at rest and while being transmitted. 3. Maintain a Vulnerability Management Program--This is primarily to ensure that you use and regularly update anti-virus software anti-virus software n → Antivirensoftware f and secondly, that you develop and maintain secure systems and applications. All applications, as well as the network itself, should be protected by an anti-virus solution. And secure systems and applications exclude those that have embedded Inserted into. See embedded system. user credentials, often the case in many database applications. 4 Implement Strong Access Control Measures--This can present a challenge since it does not simply define Identity Management measures but also the need to ensure that data is only accessible on a 'need to know' basis. Ensuring that users have access only to the level of data that they need is an important step in preventing data theft, particularly internal data theft. A good solution would store data in a highly departmentalized manner, allowing only authenticated au·then·ti·cate tr.v. au·then·ti·cat·ed, au·then·ti·cat·ing, au·then·ti·cates To establish the authenticity of; prove genuine: a specialist who authenticated the antique samovar. users access to data based on their level of authorization. Every user should be assigned an individual account that easily allows them to access the data they need while restricting them from accessing additional information. 5. Regularly Monitor and Test Networks--This section requires that you track and monitor all access to network resources and data and regularly test security systems and processes. One of the best ways to do this is to have an automated audit trail to assess who had access to data if a security breach was to occur. The optimum solution guarantees individual logging, while also recording every successful and unsuccessful event, such as login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. , data access and administrative activities. Additionally, these audit trails should also be stored in a safe manner and be encrypted and signed and unable to be altered manually. Another key feature to look for is the solution's ability to maintain an audit trail for a predefined period of time, making it impossible to delete the log before the retention period expires. 6. Maintain an Information Security Policy--The responsibility for this falls squarely square·ly adv. 1. Mathematics At right angles: sawed the beam squarely. 2. In a square shape. 3. on your IT department and management team to create, define and enforce an information security policy throughout the organization. The policy should address all relevant rules and regulations defined by regulatory bodies who may have an interest in your activities, and your users should be fully aware of the obligations as well as penalties for non-compliance. In today's increasingly regulated business environment it's only a matter of time until the phone call comes from someone inviting themselves for a visit, and hopefully you have an your information readily at hand. After all no one doubts that you're an honest businessman, but can you prove it. So make the resolution not to be the data breach story of 2006! www.cyber-ark.com Cahun Macleod. Cyber-Ark |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion