Cracks in the system

Monday, 02 December 2013
John Dunne explains how to protect your information from theft and unlawful disclosure.

History is littered with examples of data theft and loss. Herodotus’ histories of ancient Greece tell how Ephialtes betrayed the Spartan king Leonidas by informing Xerxes of Persia of a secret path around the Spartan army, leading to their demise. In the Bible, Delilah cuts off Samson’s hair after he tells her it is the secret to his great strength. Both are classic cases of unlawful or accidental disclosure, which are all too common. Data security breaches have been with us for thousands of years, but where does the threat come from?

Numerous authors have suggested different threat vectors but, for the purposes of this article, I have divided them into three categories: internal, external and advanced persistent threats (APTs).

Internal

According to studies, the biggest risk to data security in an organisation is its own employees. The 2013 report Cost of a Data Breach, by Symantec and the Ponemon Institute, suggests that 64 per cent of all employees have made mistakes that ultimately caused data loss. Examples include accidentally losing data by leaving it in a public place, such as a train or taxi, or by emailing a client’s data to the wrong recipient. Advances in technical controls, such as data-leakage prevention and intrusion-detection and prevention systems, help to secure the network, but no control can completely guard against human error or deliberate theft.

External

External threats come in myriad guises. Hacker groups such as Anonymous and LulzSec disguise their activities under the façade of ‘hacktivism’. Other groups, such as Hidden Lynx, are professional hackers for hire and are quite open about what they do.

Technical controls make it difficult for hackers to access an organisation’s network from the outside, but they have one huge advantage: the proliferation of information on the internet. Social media, business forums, research databases, chat rooms, webmail: all this information is archived and stored on the internet and is readily accessible to people who know how to retrieve it. Use of this information makes it possible to ‘footprint’ organisations to reveal the best method of attack, e.g. a technical attack against the information architecture, or a social engineering attack aimed at the users.

APTs

An APT is a complex, determined and well-resourced attack on the infrastructure of a large organisation or nation state, typically orchestrated by another nation state. This manner of attack has come to light only recently, with the publication of the Mandiant report on Unit 61398 of the People’s Liberation Army of China. However, the theft of intellectual property and attempts to compromise national networks through technical means have been occurring for years. In fact, the UK government considers the risk from APTs so great that it allocated part of the GBP650 million budget from the 2011 UK cyber security strategy to investigate methods to counter them.

Who has been hacked?

Pick up any newspaper and you will find a data-incident story. Whether it’s a government employee leaving their laptop on the train, a consultancy company losing a USB memory drive or somebody finding a bag of confidential files in the dustbin, there is always something about data security.

In 2011, some of the biggest names to suffer data incidents were Sony, Citigroup, Betfair and The Washington Post. In 2012 hackers added Apple, Ubisoft and Yahoo! to their victims, and in 2013 we have already seen Facebook, Ubuntu, Evernote and Twitter report issues.

These are only the ones we can read about. Some organisations, such as banks and financial institutions, have a vested interest in keeping quiet about security breaches so it doesn’t affect their share price or reputation. Perhaps the question should be: who hasn’t been hacked?

How can I protect my data?

Big security companies will attempt to scare you with horror stories to sell you their latest solutions. These programmes have their place, but most require additional time and resources to implement if they are to be effective. Instead, let’s start with the basics: a five-point plan for protecting your data.

1. Select a strong password

There are dozens of ways to select a password. My favourite method is to think of an image and select three words associated with that image that are at least five letters long. String them together with no spaces in between and add two numbers at the end to give a password of at least 17 characters. This should be fairly easy to remember because you have the image as a mnemonic, but it will be extremely difficult to crack.

Combine this with changing other elements of your access control, such as increasing the time interval between changing passwords to something approximating 100 days. With such a strong password there shouldn’t be so much need to change it.

Also consider raising the number of failed login attempts. A common denial-of-service technique is to find a system that has a low access attempt threshold, e.g. three attempts, and then enter the wrong password several times on several accounts to lock out multiple users. This is particularly effective if the reset requires system administrator intervention instead of happening automatically.

2. Implement anti-virus (anti-malware) software

Most organisations will recognise the importance of having anti-virus (AV) or anti-malware software on their network, but do they attach similar importance to installing the updates regularly? For the software to be effective it must be regularly updated with the latest definition files.

A more advanced technique is to use multiple AV products to reduce exposure in the lag time between release of the virus and the patch (zero-day attacks). A word of caution: do your research and make sure the products will complement each other before you implement them.

3. Back up your data

This is a critical control but one that is typically considered last. Make sure data is backed up regularly and the copies are stored separately from the servers. Storing backup copies in the cloud is a useful reliability measure, but make sure you have a least one copy under your control in case your cloud provider fails.

Additionally, run verification checks on your backup copies to confirm their validity, and test your backup copies and business continuity plans regularly to make sure they are viable.

4. Segregate and secure your data

This is an important control with several points to consider:

  • Review who has access to your data. Does everyone really need access to everything? Practise the principle of ‘least privilege’ and control access to sensitive data by storing it separately.
  • Consider how employees access data. Is it in the office or are they mobile? What access do they need to have? What would happen if that account was compromised?
  • Appoint data owners for each data item and make them responsible for granting access to that data. Enforce this through auditable processes to ensure compliance.
  • Finally, consider implementing data-classification controls. These will assist employees in deciding how to store and protect data.

5. Train your staff

This is the most cost-effective control, better than any piece of information systems security software or hardware currently available. Foster a culture of security awareness, not paranoia, that is visibly supported by the senior management team.

Develop security policies that support the controls and make sure everyone understands their responsibilities. Also, check and confirm compliance through regular audits and, if necessary, make sure appropriate punitive measures are applied to employees who deliberately contravene them.

There are more advanced ways to protect against cybercrime, such as an external analysis to identify the key cybersecurity threats to a business, professional security reviews and gap analysis of governance, regulatory and IT security controls. However, by getting the simple stuff right, you will save yourself at least two-thirds of the headaches.

Author block
Right
John Dunne

John Dunne is the National Information Systems Security Manager for Grant Thornton UK LLP.

The content displayed here is subject to our disclaimer. Read more