Information sensitivity Archives - Defence Intelligence Blog

Cyber risks are a growing concern for every company, no matter the industry. The storage and transfer of data have become necessary parts of doing business, and “putting it out there,” so to speak, increases the chance of a hack-attack.

File sharing in particular is a major concern for organizations concerned about their sensitive or proprietary data. With services like Dropbox, Google Drive and Microsoft’s SkyDrive gaining traction daily, IT professionals need an effective way to manage and monitor the flow of their data. It’s for this reason that both our Harbinger and Nemesis services include a dedicated file sharing category, giving you the ability to control the transfer and integrity of your data.

This month we’ll be looking at three cyber risks most often identified by companies open to disclosure. The first risk is loss or theft of confidential information, which has become even more of a concern for companies and individuals in this post-NSA PRISM world.

Each year, security threats continue to be more costly and require greater vigilance as evidenced in a recent settlement that cost Sony more than $383,000 in UK-based fines for a 2011 breach of its PlayStation Network. Nintendo also faced similar issues in June of this year with more than 15 million hacking attempts resulting in 24,000 breaches in a single month, according to CBR Online.

The average cost of a breach lasting 3-5 days for a small company is $35,000 – $65,000. For a large company, that number grows to a staggering $400,000 – $840,000. If at first glance those figures seem high, consider the cost of the following: time spent responding to incident, lost business, lost assets, reputational damage, and that’s before any compliance issues or fines.

The more your business grows, the more likely it will attract the interest of cyber-attacks. So what can you do to protect yourself?

1. Pinpoint the associated risks for the types of data that are important to your business.

2. Define your security policy.

3. Implement.

4. Review and revise.

Final word of warning: don’t think this is one-size-fits-all. Prevention is dependent on your company’s needs, and could involve establishing Internet use protection or safeguards against intrusion or remote access safety measures for backing up and accessing data.

Know what you need, and make sure you get it. For more information about our Harbinger and Nemesis services, visit us at defintel.com

An example of theft. Someone took everything except for the front wheel. (Photo credit: Wikipedia)

As the saying goes there is always something to be learned from every success
and failure, what we can take away from the top breaches of 2012 is a
list of what to do to avoid similar breaches and ensure you’re not on the list
for 2013.

Below is a list of what we felt were the most significant:

Segment and divide your networks. Don’t
have the prisoners on the same network as the guards. Related breach: New
Hampshire Department of Corrections prisoners accessed guard’s database.
When you have a database make sure you watch who is accessing, what they
are accessing and from where they are accessing. Related breach: New York State Electric & Gas
Co. had 1.8 million files exposed due to unauthorized access by contractor.
Create alerts for large amounts of data being moved. Related breach:
South Carolina Health and Human Services had employee steal the records of about
228,000 people by emailing it to himself.
Use a trusted, private corporate courier for sensitive data. Related breach: California Department of Social Services microfiche damaged after sent
through U.S. Postal Service.
Limit access to and storage/transfer of large amounts of data and only
to non-mobile devices. Related breach: NASA laptop stolen with thousands of
employee’s personally identifiable information.
All reports that are to be made public should be vetted by senior or
security staff for sign off ensuring the report doesn’t contain any sensitive
information. Related breach: Wisconsin Department of Revenue staff members
posts report with sensitive material on website with public access.
When making major changes with data storage include a security
assessment: Does your new set up meet the standards of the old system? It
should exceed the old not be a step back. Apply same security if not more to
backup information as for primary source. Related breach: California Department
of Child Support Services lost more than 800,000 sensitive records on backup
tape when shipped by FedEx and files fell off truck.
Update employee awareness and training. Related breach: University of
North Carolina-Charlotte exposed 350,000 personal data files “accidentally made
available for three months.”
Sensitive data should be encrypted in case it is hacked. Related breach:
Zappos had their network hacked but hackers couldn’t use information because it
was encrypted.
Protect
your network against SQL injection attack by working with best practices. Related breach: United States Navy & DHS website was hacked by Blind SQL injection
attacks.

eSecurityPlanet offers a comprehensive article that outlines four methods to prevent a SQL
injection attack.

Filter user data for context, such as email addresses should be filtered
to allow only the characters allowed in email address

Use a web application firewall

Limit database privileges by context by creating multiple database user
accounts

Use
SQL variable binding with prepared statements or stored procedures

What are you adding to your check list?

Editorial comment: We’ve received feedback about point #10 not being relevant as it is a known fact and not a needed reminder. Excellent point, unfortunately that isn’t what we saw when we reviewed the lists of top breaches for 2012. On one list of top ten, two of the breaches were caused by SQL injection.

Defence Intelligence Blog

Blog

Cyber Risk No. 1: Loss Or Theft Of Confidential Information

How to stay off the list of Top Breaches 2013

Related articles