Are You Up to Date? Today’s Top Five Security Threats to Your Data
June 14, 2012
Contributed Article. Author: John Milburn, vice president and general manager, Identity and Access Management, Quest Software
Are You Up to Date? Today’s Top Five Security Threats to Your Data
If you’re feeling a little paranoid about data security threats, you can relax. You’re not paranoid! The threats are real. While financial institutions have gotten smarter (the recent breach at Global Payments notwithstanding), companies in other industries, such as retail and hospitality, are now in the crosshairs, and hackers and scammers are finding easier prey in small to medium businesses.
According to the Verizon Business report, “2012 Data Breach Investigations,” last year saw the second-highest data loss total since the company started keeping track in 2004. Some 855 incidents resulted in 174 million compromised records.
A couple of other stats are startling:
- 96 percent of the attacks were not highly difficult.
- 97 percent of breaches were avoidable through simple or intermediate controls.
This suggests that the problem within targeted organizations has more to do with education, process, and vigilance than with evil geniuses outsmarting expensive technological defenses. In fact, a major contributor to the problem is simply the way the world has changed over the last few years. It used to be easier to think about data security (if not to put it into practice): companies just had to physically secure hard drives and archives. But today, bits are residing and flying all around the globe, and with cloud computing and mobile devices, you may not even know where your data is!
Given this reality, the most important step to preventing breaches is to recognize your company’s vulnerabilities and fully understand the processes you need to develop to meet the challenges. Only then can you decide on the right technology for implementing these processes. With this in mind, here are my top five security threats and what it takes to deal with them.
1. Internal Excessive Privilege
Maybe the world wasn’t actually simpler a few years ago. Perhaps we were just more naïve. But companies used to view the world as “us against them.” “Them” were the threats: thieves, hackers, sneaky competitors, disgruntled former employees. “Us” were the current employees, the good guys, the heroes—by definition the keepers of the realm. As such, system administrators typically had complete access to physical servers, server software, and the data. Equally important, individuals throughout the company—including executives—who obtained access rights to information while in one capacity rarely had them taken away when they changed roles.
As a result of incidents such as Société Générale’s $7 billion loss stemming from rogue trader Jérôme Kerviel, companies know they can no longer afford to ignore internal risks. Government and industry regulations, such as Sarbanes-Oxley (SOX) and the Payment Card Industry (PCI) Data Security Standard (DSS), have also focused attention on internal risks by stipulating that various individuals in various roles should have access to only certain types of information.
But even for businesses that aren’t highly regulated or processing billions of dollars’ worth of transactions, the potential for employees to abuse their access privileges for personal gain, or to defraud the company or other employees, or to engage in identity theft to make illegal purchases, raises very serious questions about who can be trusted with what forms of access. Even if the odds are low, it takes only one bad egg to cause a major breach that hurts customers and damages the brand.
From a process standpoint, the most effective way to meet this challenge is to adopt a security posture called “least privilege.” This means that the business needs to determine the least amount of access each user role should have in order to accomplish their required tasks. This brings up further questions like, “How can you empower administrators to manage the enterprise systems but limit the visibility of the more sensitive data contained within them?” and “When an employee changes roles within the company, what processes are in place to ensure that any access rights no longer required are quickly revoked?”
2. Third-party Access
Cloud computing, with its everything-as-a-service model, has introduced an entirely new level of complexity to information security. Information in the cloud can be anywhere—where it is no longer possible to protect this information by simply placing it in a vault or wrapping it behind a firewall. Your information could be sitting on virtual servers that are managed by one service provider but physically located in facilities owned by one or more infrastructure-as-service providers. Companies now have to worry about not only which of their employees may have access to sensitive information, but also which third-party provider employees may have access to any unencrypted data. How can you be sure that a cloud provider employee with root access to a server isn’t poking around in your data? Do you really know how many people not directly in your employ may have some level of privileged access to your cloud-based data?
The complication here is that the consumers of public cloud services typically have very little insight into the topography and security measures used by cloud platform providers and their data center hosts. To meet this challenge, you need to press your service providers for additional information on their security measures, while also focusing on identity management and least privilege access as key strategies to minimize your risk in the event of a problem.
3. Hactivism
According to the Verizon report, the biggest security threat this last year was from hacking. And hactivism—politically motivated hacking—is clearly on the rise, including by groups such as Anonymous Operation and Lulz-Sec, which have claimed responsibility for hacking several prominent websites. While their success is in part due to social engineering (see below), they assert that much of their success comes from having found easy targets. For example, after Anonymous successfully hacked the email accounts of Syrian president Bashar al-Assad and 78 members of his staff, the group revealed that 33 of the victims were using the same 12345 and 123456 passwords.
While companies may have very little control over issues that could result in an attack by a hacker or hacking group, there is much they can do to make it harder for the attack to succeed. First and foremost, “lock the front door” by implementing comprehensive password management that enforces strong passwords and requires them to be changed regularly. Secondly, for situations where more security is required, further vet the user’s identity before granting access to more sensitive data and systems by implementing a multifactor authentication strategy – where, in addition to providing a username and password, the user also has to present another factor like a smart card, hard or soft token, or biometric in order to authenticate. Finally, adopt a least privilege security posture – by assigning just the amount of privilege necessary to perform required tasks and revoking privilege when it is no longer required – so, even if a hacker makes it into your systems, the damage will be relatively limited in scope.
4. Social Engineering
The vulnerability that comes from social engineering really has nothing to do with technology. It’s the age-old technique of using lies, deception, manipulation, and more to gain sufficient knowledge to carry out an attack. The tools may have changed, but the storyline is much the same. For example, a scammer may use Facebook to gain knowledge of a victim’s lifestyle, friends, activities, and a planned sailing trip to Bermuda. Then, when the victim is completely off the grid, the scammer calls into the victim’s office and convinces a colleague or admin to provide a password so the scammer can help his “dear friend” with a business emergency.
Like phishing attacks, phone scams, and door-to-door sales ploys, people fall for these social engineering strategies mainly out of ignorance. And, while a mixture of education and diligence is the real antidote here, a culture of security, in which strong identity management processes are in place, can serve to foster education, encourage diligence, and limit the scope of any successful attack.
5. Internal Negligence
Negligence is an offense committed by management when, “they should have known better.” In fact, most successful data security breaches have some element of managerial negligence associated with them. For example:
- In 2008, Société Générale’s convicted rogue trader Jérôme Kerviel likely was able to engage in forgery and unauthorized use of computer systems because of lax oversight and weaknesses in its risk control systems. The bank admitted it had failed to follow through on at least 74 internal alerts about Mr. Kerviel’s trading activities. In addition, a key contributor to the problem was that Kerviel had previously held a back-office position with the bank, and because his data access privileges were not revoked when he became a trader, he was able to go into the system, approve his own trades, and hide his activities for an extended period of time.
- In 2009, a contractor for Fannie Mae was charged with planting a rogue script designed to destroy all data on the company’s 4,000 computer servers nationwide. The employee had been terminated but retained rights to the UNIX server where he planted the script! While Fannie Mae stopped the script before any real damage was done, court documents estimated that the damage could have cost several million dollars and would have shut down company operations for at least a week.
- In 2009, Terry Childs, a San Francisco city employee, held hostage the city’s municipal network, which handles everything from the mayor’s e-mail to San Francisco’s electronic court records, by modifying the system so that only he had top-level permissions—a capability he never should have had.
- In 2008, hackers gained access to Heartland Payment Systems’ computer networks and stole credit and debit card numbers as they were being processed over a period of several months. Administrators did not catch the activity, even though it was readily apparent in log reports automatically generated by the payment systems!
- In 2010, U.S. regulators fined Deutsche Bank $575,000 for disabling a software system that was needed to block certain inappropriate trades—because the software system suffered from persistent operational issues. Despite the obvious and ongoing problem, the firm ran “inadequate supervisory systems” to monitor the issue and did not fix the problem until it was discovered by regulators.
The Lessons
The following is recommended:
- Adopt a “least privilege” security posture – Gives each employee the least privilege necessary to accomplish required tasks and ensures that unnecessary access rights are revoked whenever an employee changes roles.
- Embrace an access review policy – Provide regular, automated access alerts that notify two or more administrators of access changes, employee changes or other critical issues.
- Lock the front door – Employee education can cover the logistics and basics of security, but can also address topics such as the psychology and known techniques of social engineering hacks.
- Achieve compliance – Implement access control and separation of duties practices and technologies, and develop, implement, and enforce secure policy on all system access.
For the majority of today’s data security threats, prevention and mitigation lie in education, diligence, and processes – supported by technology where appropriate – that enforce strong passwords (which are changed regularly), support least privilege access to systems and sensitive data, and revoke access when it is no longer needed.
###
About the Author
John Milburn is responsible for product direction for all solutions supporting Identity and Access Management at Quest Software. Prior to his current position, Milburn served in various roles at Quest, including Vice President of System Consultants in North America. He has more than 15 years of experience in Microsoft-focused corporate IT environments. Before joining Quest in 1999, Milburn worked on WINtel architecture for Bank of America. He has a bachelor’s degree in finance from Southern Methodist University, and a master’s degree in information sciences from the University of Texas.