Recent headlines about high-profile companies falling prey to hackers have many of us frightened. Sony, Lockheed-Martin, Michael’s, Epsilon, and RSA have all been breached lately—Sony has been victimized on 10 separate occasions due to a publicaly acknowledge SQL injection flaw. Adding insult to injury, the hackers were brazen enough to publish their exploits all over the internet and Twitter.
The truth of the matter is that hacking has become a sophisticated business with ties to professional criminals backed by foreign governments and large crime organizations. Of course, not every company’s data is going to be singled out for foreign espionage or mafia hits, but no one is outside of the threat no matter what their size. In fact, a recent data breach report published by the Verizon Risk Team indicates that breaches on companies with 100 employees or less rose significantly throughout 20101. And today’s breaches can take very simple forms that can put even the most benign data at risk. An employee with excessive access to systems outside his/her job responsibilities can lead to data exposure. A momentary lapse in awareness by a courier can leave a laptop or back-up tape on a park bench for anyone to take. A quick look at the Privacy Rights Clearinghouse website will prove that companies both large and small are falling victim. The scary fact is that there is no guarantee that your company won’t get hacked in one way or another, but a solid security program can help prevent or at least mitigate our losses.
Assessing and Securing Your Data
All good security programs begin with one important process: a thorough risk assessment that helps you understand every aspect of your data. A properly performed risk assessment (using NIST 800-30, OCTAVE, ISO 27005, etc.) will reveal what your data is, where it resides, how it is protected, who has access to it, and if it is electronic or hard copy.
Once you understand these important elements of your data, the next step is to follow an appropriate security framework to protect your specific type of data. For businesses handling credit card data, the necessary framework will be based on the Data Security Standard. Healthcare-related companies require controls similar to HIPAA regulations. Controls for financial institutions must be based on the FFIEC IT Security Handbook. In every instance, however, these requirement frameworks will be primarily based on general IT Security Best Practices, and all will demonstrate significant similarities in controls, tone, concepts, and, often, enforcement. These requirements will guide you through the most important aspects of protecting your data:
- proper firewall configuration
- system hardening
- data encryption
- anti-virus installation
- proper patching
- developing hardened systems and applications
- limiting access
- enforcing strong passwords
Even if your company is not a merchant, financial institution, or healthcare provider, your data is still sensitive and valuable to people with ulterior motives. There is always someone eager to get his (or her) hands on customer data, competitive business data, forecasting reports, or employee information. Every business needs to research the available frameworks for guidance on managing access to and protecting their specific data as well as their cyber assets.
From the Top Down
I said it before and I’ll say it again, there are no security guarantees for any computer system, network, or server. Tight security is the first priority. However, there are also compelling trends that indicate one more significant measure that can increase the odds for safeguarding your data. A brief look at successful IT security organizations demonstrates that the tone at the top of the organization makes all the difference. If the executive board, senior management, or ownership clearly communicates and demonstrates the importance of compliance and security then it will become an integral part of daily operations.
Now is the Time
The recent hacking headlines need to be a wake-up call to us all. A data breach of any kind can have a far-reaching financial and reputational impact on your organization. The battlefield is changing. The tactics are evolving. The enemy is frequently one step ahead. It is time to answer the sophisticated ploys of enemy hackers with a sophisticated security strategy for protecting the lifeblood of your company.
Coalfire Systems can help you develop the best strategies for protecting your valuable data, including internal security, segmentation, and employee screening.