Data Protection and Defense
Just a few short years ago, “Data Security” for your company meant installing a firewall and anti-virus software on the file server. Early “hackers” were loners, writing viruses that would spread via a floppy diskette or in Microsoft Word Macros. Now, we see “botnets” consisting of 1,000's of infected machines doing the attacks, and the “hackers” are often located overseas and are “organized criminals” The attacks are becoming much more sophisticated, blending several attack methods See Beyond Viruses and Worms or
Criminals Increasingly Blend IT Threats for more on this thread of discussion.
How can you “lose” data, “Let me count the ways…”
The “Chronology of Data Breaches” website, http://www.privacyrights.org/ar/ChronDataBreaches.htm , lists hundreds of data leaks publicized since 2005. As of April 2007, those data losses totaled +153,000,000 customer records affected (some people faced more than one exposure). Causes of these data losses include:
- Hackers, (Security Info Watch)
- Paper records found in dumpster
- Paper records found in plastic bag at curbside, (Consumer Affairs Data Security Story)
- Paper records abandoned in an office, (Consumer Affairs Data Security Story)
- Paper records found in recycling center,
- Data posted on public website,
- Computers/servers stolen from offices, (Consumer Affairs Data Security Story)
- Lost and stolen laptops, (eWeek Data Security Report)
- Backup tapes, (IT Toolboxes Data Security Hall of Fame)
- Email, (Salon.com's Enron Data Security Story)
- Disgruntled employees actively stealing data (SearchSecurity.com Data Security Story)
- Hard drives sold publicly (Computer Reveals Personal Information)
- USB drives stolen and lost (Vetran Affairs Data Security Issue)
- Fax to wrong number (Speach Faxed to Opposition Party)
- Waiter making copy of credit card information on magnetic strip
- Video camera and magnetic strip reader attached to Automated Teller Machines
- Instant Messaging (IM)
- RFID chips, (RFID Data Securtiy Issue)
A couple of my favorites were the 478 laptops stolen from/lost by the US Internal Revenue Service between 2002 and 2006 (http://www.treas.gov/tigta/auditreports/2007reports/200720048fr.pdf)and the 160 laptops lost by the FBI in 44 months (http://arstechnica.com/news.ars/post/20070212-8821.html). Myself, I have been part of a data breach. A former employer sent me a form letter saying that my personal information was involved in a data breach.
Why Worry about Data Security
The need for Data security can be very simply stated. If you do not keep your sensitive data secure, you could end up paying enough money to put you out of business.
An extreme example of the cost of data losses is Choicepoint. In January of 2006 they paid a $15 million settlement to the US Federal Trade Commission for a data breach. However, even without data loses, you could lose business or pay fines. Federal and Provincial/State governments have been enacting Data Security Laws for many different situations. If your business is in one of the areas covered, you have no option, you have to follow the law, and ignorance is no excuse.
What Can Be Done to Protect Your Data and Your Company
“The only truly secure computer is one that is unplugged and locked into a bank vault.”
Phrases similar that have been around for a long time, and they are essentially true. As soon as a computer is connected to a network, it is exposed to risk of data security compromises. However, computer systems, networks and data have to be open in order to get the most value from them. Therefore there is always an appreciable risk that data will be leaked.
Information Security Policies & Procedures
Policies are the “laws” that define how the company intends to operate. Policies should be reviewed periodically. This is especially important in the Information Technology area since it is changing so rapidly. How many business people had used IM (Instant Messaging), VoIP (VoIP) or heard of “Phishing” attacks. Corporate policy and procedure should also address explicitly how suspected and actual data leaks will be handled. Public perception of mishandling that type of situation can cause as much, or more, damage to the company as the actual data leaks. Being able to prove to the public, auditors and the legal system that your company did take appropriate steps to prevent the leak is one of the best defenses you can have. Actually, the simplest security procedure to apply is encryption. For example, for many purposes, if leaked data (ie lost laptop, backup tape) is encrypted with an approved encryption system, then the data is still considered secure and the leak does not have to be publicly reported.
Identify all of the sensitive information you have, where it is stored and who is responsible for it, the data owner), and what is worth to the company. Spending a lot of money to protect the current, public, version of your catalog does not make sense. However, spending money to protect your customer's purchasing information or your company's “secret” 5 year marketing plan, does make sense.
April 2007 Rohn Solecki
Rohn is a Data Security Consultant in Winnipeg Manitoba
If you have questions or would like to know more about Infomation Security please call us.
What is “Personal Information”
This definition is copied from section 3 of the Canadian Privacy Act: http://laws.justice.gc.ca/en/P-21/section-3.html
(a) information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual
(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved
(h) the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual by an institution or a part of an institution referred to in paragraph (e), but excluding the name of the other individual where it appears with the views or opinions of the other individual, and
From the California privacy legislation (which is the base for privacy legislation in many other states) SB 1386 http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
(e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted
(1) Social security number
(2) Driver's license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Some of the specific data elements this would include are: Name, phone number, address
The more layers of defense, and the more different types of defense you put into place, the harder it is for an attacker to get to your data. What types of defense are available:
- firewalls to limit access into and out of your corporate network and PCs
- IPS/IDS –Intrusion Protection Systems & Intrusion Detection Systems to identify when your network is being attacked from the outside and / or block those attacks
- Switches vs Hubs. Use switches to limit traffic on a network connection compared to Hubs which broadcast everything to everyone
- Network Segmentation – use your switches to divide the network into logically separated sections
- Encryption to protect data “in motion”, moving over internal wired and wireless networks or the internet. And to protect data “at rest” on various storage devices, and devices that most people do not consider as “data storage” devices. Data can be “at rest” on your desk top hard drive, on a server hard drive (file, web or email), or on a laptop hard drive. There are more relatively “new” technologies that can hold your data, such as USB thumb drive, MP3 player, Blackberry, Cell phone, digital camera, pager, PDA, and external hard drives (up to 500 GB, and growing).
- End Point Protection refers to most of the devices listed above as candidates for encryption. However it refers to controlling access to various connections to your network. In the early days of computing, a network was strictly limited to internal access. It was easy to control. Then the internal networks were connected to other networks, then by strictly controlled modem connections, next by firewall controlled access to the internet. Now computers now provide uncontrolled access to the computer, and the connected network via USB and Firewire connections and wireless devices. So now internet access can be made bypassing the corporate firewall.
- Software Patch Management is required ensure that all required application and operating system patches are applied in a timely manner. Although most of the current publicity is focused on new threats, the sad fact is that relatively “old” threats continue to be active on the internet, just waiting for the opportunity to attack a computer that is not up to date.
- Anti-Malware protection. “Malware” is a generic term for all forms of software that may attack your computer. “Viruses” were the original form of malware. Currently malware includes, spyware, Trojans, keyloggers, phishing and pharming attacks to name a few of the current recognized categories. One thing to remember is that “one size” anti-malware software does not “fit all”. Just because you have anti-malware on your server, does not mean that your desktops are protected. And then again, using versions of the same anti-malware on the desktop and server is not the best approach. Various anti-malware vendors have different approaches, they have different strengths and therefore may not find the same sets of malware. Therefore, there is an advantage to using different tools in different places to stand a better chance of finding more different malware.
- Proxy Servers or Application Servers are a specialized type of firewall. Each proxy server is designed for a specific application or programming language. This allows the proxy server to inspect the content in the traffic to determine if it contains harmful commands or content. Proxy servers are often implemented on standalone hardware so that they do not impact application speed or network data transfer speed.
SIM / SEM / SIEM
Security Information Management, Security Event Management, Security Information Event Management are variations on the same theme. Collect security information from all around the company, log it in a common location and act on events of interest. The idea is to be able to identify when your company is being attacked, and hopefully be able to act to block the attack before it succeeds. Even so, sometimes breaches will occur. Therefore it is helpful to have access to logged information that will help retroactively identify when the attack started /ended, how it was done and what was taken.
What combination of strategies you implement depends on your needs, the sensitivity of your data, and your budget. The choice is up to you.
ProtectTools for notebook and desktop PCs
From preventing targeted theft, to blocking unauthorized access to key company data and helping enforce strong password policies, HP ProtectTools offers you a complete toolset to protect your key business data and assets.
HP ProtectTools Security Manager brings key security technology areas together into a holistic approach to security that makes it easy for you to choose the level of security that is right for your business. Choose from a growing collection of software modules to offer better protection against unauthorized access to PCs while making accessing PCs and network resources simple.
||Embedded security for HP ProtectTools uses a TPM-embedded security chip designed to work with a growing number of third-party software solutions to help protect sensitive data stored locally on a PC.
||BIOS Configuration for HP ProtectTools* provides an easy to use alternative to the pre-boot BIOS configuration utility (known as the F10 Setup) to help protect a system from the moment power is turned on. The embedded security chip enhanced Drivelock* helps protect a hard drive from unauthorized access, even after it is removed from the system.
||Smart Card Security for HP ProtectTools allows you to enable optional Smart Card authentication before the operating system loads, providing an additional layer of protection against unauthorized use of the PC. You can also configure separate Smart Cards for an administrator and a user, and easily backup and restore credentials stored and the Smart Card.
||Credential Manager for HP ProtectTools is a personal password vault that makes accessing protected information more secure and convenient. Users won't need to remember multiple passwords for their collection of password protected websites, applications, and network resources, and a single sign-on capability adds additional protection, requiring users to use combinations of different security technologies, such as Smart Card and biometric when authenticating on the PC.