2007 may be remembered as the year of data breaches (unless 2008 surpasses it, which we hope will not be the case). Big names from Disney to Western Union, Fidelity National Information Services and of course TJX were all in the headlines for the wrong reasons.
Security, it is often said, is only as strong as its weakest link: leave an opening and someone will find it. There is some truth to this, but if this were the whole truth then security would be an all-or-none proposition – luckily, it is not.
Most breaches, especially large-scale ones, are the result of multiple failure points. A breach on the scale of TJX, which continued undetected for 17 months, did not occur because someone had forgotten to follow one rule or close one back door.
Therefore, the good news is that taking even some of the recommended measures can greatly reduce the risk of data breaches, or at least mitigate their impact if they do happen by enabling early detection and quick remediation. Here are some key elements that can help achieve this:
1. Have a viable, up-to-date security policy: Make sure your security policy takes into account what data assets need protecting, the threat landscape and the potential consequences of a breach. Have procedures in place for quick response so that if the worst happens, the organization can react rapidly and minimize damage. Too many companies have policies that address yesterday's threats, or ones that are up to date but are hidden from the employees who should know them by heart. Communicate your policy to employees, and revise it periodically.
2. Know your sensitive data and safeguard it: Determine where your sensitive data assets are – by "sensitive", we mean data that if stolen or exposed would cause serious damage to the business, its employees, shareholders, customers or partners. Control access to this data, preventing unauthorized copying, printing and backups. When reading about lost laptops with sensitive data (encrypted or not), one often wonders what such data was doing on a laptop in the first place – start there.
3. Apply the least privilege principle: Give users and applications the minimum required access, especially as regards sensitive data. Do not grant privileges based on future needs but current ones, and regularly review existing privileges and revoke the ones that are no longer required. In today's enterprise, with so many consultants, outsourced developers and partners gaining access to internal systems, it is easy to disregard just how many external elements have access to systems for which they no longer need it.
4. Encrypt data in motion: Choose the right solution for your environment, using strong encryption standards and algorithms, coupled with authentication and key exchange mechanisms that make sense. There are no "one size fits all", and a heterogeneous environment may require the use of various standards including IPSec, WPA2, SSL and SSH. TJX, for example, used weak encryption (WEP) on its point-of-sale WiFi devices, giving criminals the opening through which they began stealing credit card numbers.
5. Encrypt data at rest: When done right, this ensures that only those who need to see sensitive data see it. However, it is important to choose the right kind of encryption and do it judiciously, covering only sensitive data. Key management is crucial, because if encryption keys are distributed to too many users, applications and devices, it will render itself useless in terms of security.
6. Monitor database activity: Nowhere would you find more useful sensitive data than in enterprise databases, yet most enterprises have zero visibility into who is doing what in the database. Real-time monitoring and auditing gives you the ability to enforce usage policy and provides an additional and necessary layer of security in the place most likely to be the source of a major breach. Apply automatic prevention where appropriate (e.g., obvious SQL injection attacks). The hackers that pilfered almost 100 million credit card records from TJX could not have done so without unfettered access to the database – monitoring would have certainly caught this early on. It is not for naught that database activity monitoring is considered a premier "compensating control" in PCI DSS, being a viable alternative to encryption.
7. Regularly check and harden configuration of components: Use automated tools to find bad configurations, weak passwords and vendor defaults in databases, application servers, routers and other devices. For example, a certain system has a default privileged user account that comes with the password "change_on_install", which of course needs to be changed after installation but sometimes is not. A surprising number of breaches are due to weak passwords – those are practically "X marks the spot" signs for potential intruders.
2008 will be marked by strides in more coherent, enterprise-wide IT security policy enforcement. Most enterprises have a large gap between their security policies on the one hand, and how they translate into processes and systems on the other hand. Additionally, regulatory compliance has been driving large-scale data governance initiatives that overlap, in part, with security concerns.
First it was Sarbanes-Oxley, more recently the credit card industry's PCI DSS, and in specific sectors there are additional compliance considerations such as HIPAA, GLBA or SAS 70. 2008, hopefully, will witness more top-down driven initiatives that relate to plugging real gaps in security based on risk.