How to Avoid Data Breach Incidents for Businesses

Data breaches are often unpredictable, and accidents or malicious attacks can be a conduit for information to flow out of an organization, leading to business losses. In this article I will share with you some tips that will hopefully help your friends in protecting your organization from data breaches. Are attackers lurking in the hidden corners of the Internet more worrisome, or are in-house employees who are privy to sensitive information such as financials more troubling? Both are proving to be difficult situations for IT departments to avoid. According to InformationWeek's 2012 Enterprise Technologist Strategy Security Survey, security incidents caused by corporate employees have been about equal in impact to external cyberattacks. Yet the 2012 Data Breach Investigations Report, published by Verizon, concluded that internal security threats account for only a small fraction of the overall number of attacks - just 4 percent. If that's the case, why are experts taking it so seriously and even making a bit of a fuss about it? The reason is simple: insider employees know the ways and means of accessing critical company information, and their familiarity with systems gives them dozens of hard-to-prevent theft measures. In addition, the impact of their attacks is generally greater. Just last year, a Bank of America employee sent hundreds of customers' account information to a malicious individual. The latter used the data to begin stealing funds from the accounts in question, directly involved in the total amount of tens of millions of dollars - not counting Bank of America in order to appease customers after the huge amount of additional investment. The threat posed to organizations by insiders is getting worse, but IT departments tend to focus their protection efforts on securing the network perimeter from external attack campaigns. Times have changed, and the warm nest of new criminal activity of concern now lies within the enterprise - internal cyber-malicious activity must be stifled sooner rather than later. It is clear that in this context, organizations should immediately rethink their existing security strategies and put "internal" threats on the same level of concern as "external" threats. Internal security threats can occur for a variety of reasons, both intentional and inadvertent. However, regardless of the cause, it is usually possible to develop a comprehensive set of control mechanisms to minimize the damage. To address insider threats, we should look at three separate areas: the network, the host device, and the people involved in generating, processing, and migrating data. At the network level, the control system must be able to detect and analyze the content of network traffic and, where possible, block sensitive data from entering the transmission channel in a timely manner. On the host device protection side, the program is relatively more traditional: anti-malware, encryption mechanisms, change management and other security controls are indispensable to an effective program. But in the end, it's the people-related issues that are the most problematic: implementing management policies and training employees on the proper handling of sensitive data. In the following article, I will talk to you about the implementation process of these three major levels in detail. Networks - guarded for employees within the organization, the two most common methods of data transmission to be e-mail and the network to send. Whether intentional or accidental negligence, the occurrence of data leakage also rely on these two ways, and at the beginning of the accident, the specific cause is often not clear. Employees using corporate email accounts often inadvertently send sensitive data to the wrong address. At the same time, malicious individuals intent on stealing sensitive information are likely to use their personal webmail accounts or upload information to file*** sharing sites on the web for their own ulterior motives. As a result, email and security gateways are the first line of defense against unintentional events and sabotage. These gateways are often used to check inbound traffic, spam and malware, but they can also be deployed to monitor outbound traffic. Internal security gateways cover the scope of employee-generated traffic to the Web and email, as well as line and operational activities that act as relays or proxies. Vendors of major gateway products such as BarracudaNetworks, Cisco IronPort, McAfee, and WebSense all offer distinctive data loss protection features. Since traffic is bound to pass through the gateway, a DLP (or Data Leakage Protection) module will hold down the fort to know if there is any leakage of sensitive data within the organization. The protection module also focuses on specific types of data, such as credit card and social security numbers, and allows users to create categorized tags to define which files should not be distributed from the corporate network to the outside world. Administrators are alerted as soon as the module detects the export of such data. Traffic will be immediately frozen, while the user in question will also receive a warning alert. Not only that, such potential violations will also be sent by the system to the security department, human resources, and the user's immediate supervisor in the enterprise, and such severe disciplinary measures will undoubtedly urge everyone to always maintain a serious and cautious attitude in the future work. In addition to web and email traffic analysis, web-based DLP products are also capable of monitoring protocols and services including instant messaging, social networking sites, peer-to-peer file*** sharing and file transfer protocols. However, DLP and other web-based security products are blind to encrypted information. If a user is well-prepared to send data over an encrypted network, such as SSH/SCP or Tor, the content will be able to bypass web-based DLP mechanisms. To address this challenge, DLP products often include host-based as well as storage device-based DLP solutions, which we will discuss later. Anomaly detection systems are another network-level alternative, and Lancope and Riverbed Technologies are leaders in this area. These products create a baseline set of metrics for normal network activity, compare current network activity to the metrics, and alert when deviations occur. For example, each computer in a network environment typically interacts with 12 other computers and servers and generates between 100MB and 200MB of data transfers per day. If suddenly one day a computer is involved in more than 20 interactions (including computers, servers, and other systems), or if a transfer to a file server or database jumps over the 500MB mark, such unusual activity would be of immediate concern to the system and alerts would be sent to the system administrator in real time. Carnegie Mellon University's CERT Insider Threat Center has rigorously defined several major types and characteristics of insider attacks, the most obvious of which is that insider attackers typically carry out their malicious activities within the month prior to deciding to leave the organization. They download sensitive data from the server side of the organization to their own workstations and then retain copies by sending emails, burning CDs, or using USB flash drives to make copies. However, in response to the previous section, such out-of-the-ordinary data downloads can be caught and tracked by network anomaly detection systems in a timely manner, and the activities of the users concerned will be immediately flagged and monitored. However, the network activity anomaly detection system is also not omniscient. For one thing, it won't send us a clear message that, for example, employee Bob seems to be trying to steal some sensitive records. Instead, the IT department gets a report on anomalous application and network activity, and the security team is tasked with digging deeper. In other words, log analysis, network activity review, and party forensics are left in the hands of completely non-tech-savvy guys. This separate approach often results in stalled investigations, and large security threats are often left unaddressed, with IT and security teams having to invest significant funds and time to make the right adjustments to the anomaly detection system, and ultimately analyze the reports and investigations to generate valuable security tips. IT departments can also utilize specialized tools to monitor databases for anomalies. The main role of such tools is to grasp the movements of employees within the organization, because the database can be said to be the home of valuable business information. Database Activity Monitoring (DAM) products from major vendors such as Imperva and IBM can help administrators easily understand user interactions with database servers.DAM products run at the network or host level, and can capture unusual activity, such as a user who normally accesses 30 to 40 records of information suddenly accessing thousands of records in a single day. Hosts - Not to be missed Mainframes - no room for error Mainframe systems, such as laptops and tablets, should also be protected to minimize intentional or accidental breaches. One of the most effective ways to accomplish this is through encryption. Sixty-four percent of respondents to our Security Strategy Survey believe that encryption is effective in protecting organizations from security threats. Encrypted laptops, portable storage media, and mobile terminals can keep the data on these devices secure even after they are stolen. Carefully deployed and configured management policies will ensure that encryption is in place in every aspect, and strong password assignment policies and protection capabilities will not only help to eliminate the fear of data leakage if a device is lost, but also to remotely erase the information on the device. There are many other applications where encryption can be used, such as when copying files to removable storage media, smartphones, and email, to make the process more secure. Products such as Credant's MobileGuardian and McAfee's TotalProtectionforData actively encrypt data as it is written to mobile devices and portable storage media. In an effort to encourage the spread of encryption, some countries have data breach laws that allow organizations to lose or steal data without having to notify customers whether or not the information was encrypted. Organizations with particularly stringent security requirements often prohibit employees from using portable storage media, such as USB flash drives. Many endpoint protection suites, such as Symantec's EndpointProtection and McAfee's DLP, fully or partially prohibit the direct use of USB flash drives. Equipping sensitive data sources such as file servers with appropriate access and auditing controls can also be effective in deterring malicious behavior from internal employees. One option is to develop basic file and folder level auditing, which allows administrators to track user access behavior and perform real-time privilege escalation and software installation licensing. While this may not sound difficult, the challenge is that most organizations simply don't know where their sensitive data is stored. Without this basic knowledge, file and folder auditing is essentially a non-starter. The first step is to determine where sensitive data is stored, and data enumeration, which is a common feature in DLP products, can help IT departments determine where information such as social security numbers, medical records, and credit card data is stored. Once the location has been determined, the data should be consolidated and associated with appropriate user permissions; the next step is to implement a file and folder auditing process through a centralized logging or Security Information and Event Management (SIEM) tool. A properly configured alerting system should alert you when access behavior is abnormal or when an external user gains access to sensitive information. Another important step is to monitor workstations and servers for configuration changes and alert when necessary. Sudden large-scale changes are likely to indicate that some malicious person is violating or preparing to violate our sensitive data. In the preparation stage, they must first give their workstations high privileges equal to those of administrators and add new hardware for data copying, or conceal their criminal activities by emptying or disabling the logging system. SIEMs and specialized change management software can detect such activities and alert administrators in a timely manner, and I recommend Tripwire's PolicyManager and NetIQ's SecureConfigurationManager for this purpose. another benefit of using change and configuration management tools is that they often have workflow management capabilities. Another great benefit of using a change and configuration management tool is that they often have workflow management capabilities to process, approve, and revert configuration changes based on records. Finally, the IT department must regularly record security information, review logs, and determine next steps based on the statistics. It's a tedious task, but it's a significant one. Let's think back to the 2011 Verizon Data Breach Investigations Report, which concluded, "In almost every data breach, victims have many opportunities to identify and correct problems before they actually occur. But the content of these important records was either simply unread or read and ignored without being incorporated into actual actions." And in the 2012 report released by Verizon, this trend continues: 84% of the victims in the survey had no idea that those highly damaging data breaches had long been traced in their daily logs. The truth is that such insider attacks can be nipped in the bud with a careful examination of existing logging systems. It is for this reason that Verizon recommends that large organizations "carefully monitor and y analyze incident logs," and puts this advice prominently in its Motto of the Year. The Human Factor - Establishing the Rules Research shows that most internal malicious attacks come from employees who are disgruntled or are about to leave the organization for another job. In addition, employees who are not disgruntled are also likely to fall victim to phishing attacks on social networks and other sites, as the general public is generally unaware of the dangers and characteristics of malicious links. The human factor is the most insurmountable gap in security. The first step in raising the awareness of the entire population is to establish a set of well-defined and easy-to-understand management policies. Unfortunately, based on my survey of current mainstream security architectures and policy content, most organizations fail to do this well. The policy terms are long, smelly and extremely obscure, which makes it impossible for most ordinary employees to understand or even read the terms of such systems. As a result, employees quickly throw the policy out the window. It's not that they don't want to comply, but rather that they completely fail to understand or even read through such lengthy statements. Don't create a management policy that is simply a list of what needs to be checked or the terms of the regulation. Instead, we should envision the situations that employees are likely to encounter in their day-to-day work and use that as the basis for providing them with more actionable guidance, as well as a clear list of the types of behaviors that are strictly prohibited. By combining background checks, data processing and classification, permission to use corporate resources, safety precautions and training with policy development, we aim to produce a set of guidance documents that will be of real use in the field. Organize detailed data classification and practices that specify which types of data are allowed to be stored on which systems, how the data should be transmitted over the network, encryption requirements, and whether the data can be stored on mobile devices and portable storage media. Employees who work with sensitive data and systems are expected to maintain information in accordance with the data classification policy and to update it regularly. Training is also essential if we want employees to follow the policy. Wherever possible, use existing resources to help companies set up training programs, including the Security Work Syllabus put out by the Systems Cybersecurity Association and the Enterprise Security Awareness Training Program developed by the OffensiveSecurity team. In addition, the Security: What Users Know report published on the InformationWeek website contains a number of practical tips that may be worthwhile for employees to peruse for practical business guidance. It's worth noting that physical device security is also a key factor that is often overlooked. Organizations often go to great lengths to develop management mechanisms without thinking about how to prevent employees from stealing publicly owned equipment. One may wish to deploy monitoring systems in sensitive locations and restrict employee access to minimize theft activities. A Golden City, a Tightly Tailored Approach To prevent insider threats at their root, we need to closely investigate technical vulnerabilities and monitor employee behavior over time. It's not easy to do both, especially when internal employees access sensitive data for work purposes. The key to solving the problem is to master the attack process, understand the underlying motives and deploy control programs at the level where they work best. You may want to designate the most important information that needs to be protected, build an impenetrable defense mechanism for them, and then use this as an opportunity to learn from experience and extend the insights to the control of network and host systems as appropriate. And don't underestimate the human factor. Develop management policies that are easy for employees to understand and follow, and foster good security habits, while always keeping a vigilant eye on every detail of user activity. Utilizing a layered approach to control the network, the host, and the human factor separately is the truth, but it's a long way off. The process of realizing the ideal is always bumpy and long. As Verizon stated in its 2012 annual report (the third consecutive year the company has released a report), nearly all insider breaches are "the result of an organized, premeditated effort." To truly keep insider threats under control, we may have to come up with a similarly "organized and premeditated" response.