This is a guest blog by Peter Lindley, a Security Researcher for the InfoSec Institute.
Is there really still a need for articles such as this to begin – as is usually the case – by describing the current threat landscape and potential impact to businesses from breaches to enterprise data security?
Really? Oh, alright then.
Let’s just try “Google” and in particular look at “news” for “data security breaches.” (Other fine search engines are available of course).
At time of writing (August 2015) my results for this search include articles with the following headers:
“Data breach by holiday firm Thomson exposes hundreds of passengers;”
“Class action lawsuit filed against IRS for data breach;” and
“Carphone Warehouse hackers gain access to millions of customer bank details.”
Just a few of the results for one day.
As usual the impact to these organizations, and any others who might suffer a similar compromise of their enterprise data, goes beyond the financial loss arising from legal action. The potentially catastrophic damage to reputation in some cases is clear and the frantic activity to try to deal with this after the fact may be ultimately futile.
It is of course much better to have arrangements in place to prevent such breaches from occurring in the first place and to provide assurance to existing and prospective customers that your business is not going to be the next one to make the headlines because of an enterprise data breach.
So what arrangements should you have in place? Here are 12 tips for securing your enterprise data.
Tips for Securing Your Enterprise Data
Data Audit/Asset Register
First, you should know exactly what enterprise data you have. Full details are often not known, with particular departments only aware of the data and systems relevant to their business areas.
Carry out an audit to identify all data, how it is stored and processed and the level of protection it might require – particularly for business-critical data (the “crown jewels”). Consider using a protective marking scheme to clearly differentiate “confidential” data requiring special security measures from non-sensitive information.
It’s useful to compile asset registers, both for the data and for the physical and other components that make up the infrastructure, hardware, software, applications, etc. used to hold the data and process it.
Now that you know the enterprise data you have and what data is critical to the business’ operation you can carry out a risk assessment. Implementing security arrangements based on a risk assessment of the specific environment is the most effective approach. This ensures that time (and money) is only spent on the vulnerabilities and threats applicable to your system configuration and should result in a set of risk –based security measures (technical, procedural and policy-based) – which can be collectively referred to as an Information Security Management System (ISMS).
Staff Security Awareness
Inadvertent – or, less often, deliberate – actions or oversight by staff continue to account for the majority of data breaches reported. So a staff security awareness program remains one of the most important ways to mitigate against enterprise data breaches. Having documented data security policy and procedures in place within your company and using these as the basis for security awareness training is highly recommended.
Data Security Governance
Where possible, have data security governance in place with an understanding (and acceptance of ownership) of enterprise data risk at senior management level within your organization. Having a Data Security Manager (or Information Security Officer) in place to oversee security policy and provide advice and guidance would be another key measure.
Incident Reporting and Management
Documented procedures for reporting and investigating suspected and actual data breaches help ensure that staff know what to do to minimize any adverse impact should an incident occur. The procedures should also include arrangements for analyzing each incident to identify any lessons to be learned and ensure that the necessary actions are taken to prevent similar incidents in the future.
Secure System Configuration
Ensure that all hardware and software system components (servers, desktops, laptops) are securely configured with any functionality disabled if it is not required. Computers and other IT devices are not generally secure when installed initially with default settings often including admin accounts with publicly known – or easily discovered – default passwords. Other user accounts that are not needed may also be enabled and can provide hackers with an opportunity to gain entry to the system with privileged access rights possibly. Disabling these accounts and changing the insecure default settings to create a more secure configuration (system “hardening”) provides further mitigation against the risk of a breach.
Network Perimeter Security
Deployment of appropriate boundary security controls help offset risks such as the leakage of enterprise data; unauthorized access; the deployment of malware; or denial of service attacks. Use firewalls to provide a buffer zone between untrusted external networks (such as the Internet) and the internal enterprise network. Apply firewall rules to block traffic by default and allow only an approved set of external connections (a whitelist) with network traffic filtered, monitored and scanned for malware.
Make sure that no direct connection is possible to any internal systems processing or holding enterprise data from external untrusted systems or networks. Internally, ensure that network segregation is in place to ensure the live network environment is isolated from other potentially less secured network environments (e.g. a development or training network environment). Penetration tests by specialist technical staff can be arranged to identify and address any residual security weaknesses.
All systems and inbound and outbound network traffic should be monitored with network and host Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) deployed to create alerts if activity that might suggest an attack is identified. Procedures should be in place with responsibilities clearly understood to ensure that alerts are addressed.
Users should only be provided with the access rights required to do their job. Privileged accounts should be strictly limited to key system or database administrator roles. User activity, particularly involving sensitive information and privileged accounts, should be logged and monitored. A password policy should be in place to ensure that strong passwords are used and regularly updated.
Physical security measures in relation to controlling access to the enterprise building and individual offices (employee passes, alarm and swipe-card systems, security guards, etc.) are also important in helping to ensure only authorized personnel have access to enterprise data.
To ensure that viruses or other malicious software are not imported into (or exported from) the enterprise and used as part of an attack, a malware protection solution (anti-virus scanning, etc.) should be in place both internally and at the network perimeter. Using multiple anti-virus solutions can provide additional protection.
Ensure that a patching policy is in place so that all software, applications and operating systems are kept up-to-date with all fixes supplied by vendors to address known security weaknesses implemented as soon as possible.
Encryption should be deployed where necessary to protect critical enterprise data, e.g. if there is an unavoidable business need for it to be transmitted over an untrusted network. If sensitive enterprise data need to be stored and processed on a laptop taken off-site by users then full disk encryption should be used. The use of removable media (USBs, etc.) should be strictly limited and controlled and encrypted used where their use is required.
If we don’t already have an understanding of the current threat level to enterprise data and the potentially devastating impact of a breach, a quick Internet search will provide any number of examples.
Having a set of security measures in place as an Information Security Management System (ISMS) covering a range of aspects – technical, procedural and policy – will provide a high level of assurance for your business and its customers.
InfoSec Institute is a training school for information security. It has been training Information Security and IT Professionals since 1998 with a wide range of security specific classes. For more information, visit www.infosecinstitute.com.