make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Preventing Data Breaches: Back to the Basics

10/11/2016  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

While reading about recent data breaches, one thing comes to mind: Remember the Basics.  Yes, there are evil hackers who want your data and APT’s are difficult to detect, but the majority of reported breaches can be prevented or their damage limited by some basic controls.

  1. Encrypt your systems, especially laptops
  2. Change the password culture at your organization, change passwords often, and do not share
  3. Review the logs

Encrypt All Systems: Especially Systems That Move

This first point is seen time and again in the breach reports.  XYZ organization has been breached because a laptop was stolen either from the premises or an employee removed it from the premises and it was stolen.  While not foolproof, full disk encryption will help limit the thief’s ability to access any data on the system.  To address some of the early criticisms, full disk encryption has become more stable and less expensive to implement.

Password Security: Change Passwords Often

Passwords are like toothbrushes and underwear; you don’t share them and you should change them often.  It is a crude analogy, but it is true.  Multiple breaches have been reported to be due to unauthorized people using the credentials of those who were authorized to access records.  Sometimes the unauthorized individuals are accessing records for months before they are discovered. 

First, ensure your organization has a culture that prevents the sharing of passwords, with anyone, ever, not even an administrator.  Often times a technician will ask for a password to make his/her work easier, but this should never be acceptable and employees should be aware that they can tell the technician no without fear of retribution. 

That said, there are environments where the need to protect passwords is weighed against the needs of the business, such as healthcare.  In those situations, the business should weigh the cost of a breach versus the cost to implement other technologies for authentication.  Usernames and passwords take time to log in, but proximity badges with a short pin are multi-factor and may be faster for a nurse or doctor to use without slowing patient care.

Review the Logs

Computer systems produce mountains of data, so what do you look for? First, start with your most valuable assets.  Looking for data leaving the network may be difficult for a small business, so start with what is valuable and stay close to the source.  Recent breach reports indicate what appears to be an uptick in organizations self-detecting unauthorized access, instead of outside third parties informing the affected. 

How is this done? By reviewing logs.  An example of such a review may be a regular review of who accesses which records at a medical facility to verify that access complies with each individual’s shifts and assigned patients.  If there is a worry about data exfiltration, the best option may be to hire a third  party to monitor network traffic as it enters and leaves the network. 

Log monitoring can be like drinking from a fire hose; turning it all at once will just be overwhelming and there will be little to no value.  Instead, start small, define the most valuable assets and determine what should be reviewed and how often.  Then grow from there, bringing in outside resources if necessary.  If you already do these things, seek to increase the frequency. 

Catching issues weekly is better than monthly, and monthly is better than every 6 months. In short, by learning from current breaches, an organization can see how certain common actions can be more valuable than the major technical solutions.

  1. Encrypt your portable systems. Windows Bitlocker (included with most current versions of Windows) is better than nothing.
  2. Make sure your organization has a culture that keeps passwords secure. If the business will not allow it, look into other mechanisms for authentication.
  3. Review computer logs. Start with your most valuable systems and data and grow from there.