Hi-Tech Security Solutions spoke to five security experts for their take on the current status of data protection in corporate South Africa.
Most security operations and processes are aimed at securing people and premises in the belief that these are a company’s most valuable assets. What more business leaders are realising is that corporate data, while not often valued in terms of rand, is actually more valuable than the servers, PCs, laptops and other mobile devices it is stored on. A device can be insured and replaced. Losing all your data can have a more adverse impact on business than having to move offices or buy a new laptop
Moreover, with the Protection of Personal Information Act due to be passed this year (we hope), companies will need to start taking their customers’ data seriously and will be liable for penalties if care is not taken to prevent its loss. While not unusual in First World countries, protecting customer data is probably going to cause some serious stress among local companies, especially in the SMB market – assuming the laws are enforced.
Hi-Tech Security Solutions spoke to five experts in the data protection field to find out what companies should be doing to protect their data. Sadly, the old anti-virus package is no longer enough.
Hi-Tech Security Solutions: What are the current trends in data theft and protection today? What are we seeing happening in the real world?
Ugan Naidoo, MD, EOH Security:
There are numerous trends in data theft, below are but a few of them.
Hacking is taking a turn upwards: It is common belief that complex passwords and the newest anti-virus software keeps users information safe, unfortunately this is not entirely true. Today’s identity thieves use an array of mechanisms to counter the preventative measures business’s institute, for example, deploying software that monitors keystrokes and sends passwords to remote locations, deploying software that can copy a user’s desktop remotely, provided it is within a certain range.
Social networking has its downside: Users often unwittingly share personal information relatively easily on various social networking websites, which are more often than not patrolled by identity thieves. Examples of such personal information include, date of birth, home addresses, vacation dates and typical password retrieval prompts like 'pet’s name' and 'city of birth'.
Domestic identity theft: Domestic identity theft usually involves family members acquiring information either legally or illegally and then using that information for fraudulent activities, in some cases the victims were children. Other scenarios of domestic identity theft include theft by former husbands/wives and include domestic workers that are employed by the family.
Document fraud: Document fraud is another form of identity theft that involves identity thieves using personally identifiable documents to produce fake/counterfeit documents such as birth certificates, licences, identity documents etc.
Employment Fraud: following on from document fraud, identity thieves can use the counterfeit/fake personally identifiable documents to facilitate employment fraud by obtaining a job with these reproduced documents.
Gaf Khan, business development manager, Cisco:
The mobility of information inside and outside of corporate networks, the emergence of personal devices and new applications being used on the corporate network, and the persistence and sophistication of the criminal community are transforming how the security industry approaches protecting businesses and averting threats.
Consider social media and its impact on computer security. It is now routine for workers of all generations to interact with colleagues, customers, or partners using social networks. In addition, it is common for workers to blend business and personal communications on these social networks, further blurring the network perimeter.
The high levels of trust that users place in social networks – that is, users’ willingness to respond to information appearing within these networks – has provided ample opportunity for new and more effective scams. Instead of searching out vulnerabilities to exploit, criminals merely need a good lure to hook new victims.
In addition, online criminals show every sign of continuing their campaign to steal lucrative financial login information – and they are growing ever smarter and more sophisticated with their tactics. The Zeus and Clampi botnets, which steal online account credentials with a focus on bank accounts, have gained in size and strength.
Catalin Cosoi, senior antispam researcher, BitDefender:
Most businesses operate with intellectual property, be it sales strategies, customer databases, proprietary source code or other confidential information. When this kind of data leaves the company and reaches the competition, this usually means the end of any advantage over the latter.
Data theft can be the result of malware attacks and security breaches, of hardware theft or loss as well as of human error. While human error is rarely the main cause of data breaches, malware attacks and hardware theft pose increasingly higher dangers to the affected businesses.
According to the CSI Computer Crime & Security Survey for 2008 (http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf), 42% of the participating respondents have had laptops and other mobile devices stolen along with the data they stored. While the cost of hardware is no reason to worry, the data a notebook stores may be key to the respective business. The emergence of netbooks and PDAs have made things even worse, since most institutions allow their employees to bring these devices to work and have no policy to specifically disallow the use of these devices for business purposes.
Insider abuse is also a frequent cause that leads to data theft. According to the same CSI Computer Crime & Security Survey, 44% of the data breaches have been orchestrated from inside the network, with flash and FireWire storage units as instruments of choice. Removable storage devices allow insiders to simply plug them in, copy sensitive data and leave the premises with at least 32 GB of intellectual property. At the same time, flash drives are the most frequent vector for malware infections.
Gareth de Laporte, information management sales specialist, HP Software & Solutions:
In most cases, notebooks are stolen just for the data hosted on them. Many end customers fail to encrypt the data that resides on laptops. Other items of concern relate to the movement of tapes to off-site locations for long-term storage. These tapes need to be encrypted, in most cases they are not. If the tapes are stolen the data could be compromised. In addition, companies often need to replicate/move data across the WAN from site to site for DR purposes. It is important once again that this data be encrypted prior to leaving the production environment.
Hedley Hurwitz, MD of Magix Integration:
The reality is that insiders are responsible for the majority of data breaches. Your own employees could take data in cooperation with syndicates, to assist them in starting a new company, or to give them a boost when starting a new job. Alternatively, your employees may have been the victim of identity theft and their credentials have been used to access sensitive data.
To date there has been little South African customers could do when their data was carelessly handled – not that many companies would inform their customers of a breach, if they knew about it. However, risk managers need to prepare for the new Act of Parliament legislating the protection of personal information. Carelessness will soon be an offence.
In a globalising world, data and identity theft is growing faster than anyone admits. Today you do not have to be near a person to find out anything about them – identity and banking information, regular behaviours etc.
Most organisations do not realise the ease with which data thieves can access the information they want. This is due to two primary issues: a general lack of data classification and the formulations of rules around the access and management of this data; and a lack of identity management processes in business.
Hi-Tech Security Solutions: Are businesses aware of the real threats facing them?
Ugan Naidoo
Yes and no. No, because some smaller businesses do not have the ability or finances to establish an information security business area and as a result may be missing out of vital and relevant counter measures to the evident threats and/or regulatory requirements. Because of this, many smaller businesses tend to settle for the lower end security measures in the belief that some security is better than none.
Yes, because some large businesses have the benefit of having an information security/IT security business area that is a part of their business or have the financial clout to employee external consultants to advise and implement counter measures to the evident threats and/or regulatory requirements. In these instances, much of the time, the most up to date countermeasures are instituted by the business to ensure that it is adequately protected from the evident threats.
Gaf Khan
For many organisations, data loss prevention has typically been a 'we-will-get-around-to-it' item, at least beyond protecting any data that relates to a compliance measure, such as PCI DSS or HIPAA. But that is changing. After watching other well-known companies suffer embarrassing (and preventable) breaches that have affected millions of customers and damaged brand reputations, more organisations are beginning to understand the importance of proactively protecting their data.
As businesses make data loss prevention (DLP) a higher priority, they are quickly realising how complicated the process can be, let alone making it a matter of policy. There is the challenge of data classification – figuring out what needs to be protected, as well as recognising that securing data in the name of compliance is only the tip of the iceberg. Then the various 'silos' in an organisation must be convinced to coordinate and communicate for the sake of DLP – an often-frustrating exercise. Organisations must also determine who or what function will be responsible for managing DLP efforts, as well as what technology solutions are available for protecting data and helping to enforce policy.
Catalin Cosoi
While medium and large businesses have learned the hard way that they need specialised IT teams to deal with the security policies that need to be enforced at the work place, small companies usually overlook the dangers they might face until it is too late. A number of businesses are not even aware of the fact that they should deploy anti-virus software on every machine inside the network. Securing the network infrastructure (including workstations) will surely save much more money than the investments made in security software and specialised IT staff (or at least an outsourced IT service).
Gareth de Laporte
To a large extent business are aware of the threats facing them here in SA. They understand that anti-virus is not the be all and end all to data protection. In most cases, companies try to follow the rules associated to the data protection act. They do understand the ramifications both from a legal and business perspective. In large they have spent considerable money to protect their valued data.
Hedley Hurwitz
Sadly, no. An anti-virus solution is simply one part of an effective solution. This understanding is growing and we see many companies asking for end point and device protection solutions as they come to the realisation of how many vulnerable points that can be exploited there are in every organisation.
But simply using products does not cut it either. If you want to effectively manage risk, you need visibility and monitoring process and systems in place across the company, including for the vulnerable points made up of your people.
Hi-Tech Security Solutions: How does a company develop effective data protection measures? Where do you start? Who do you ask?
Ugan Naidoo
The key question to be asked is, can my business survive if it loses all of its data?
Once the answer to this question is obtained, a data protection plan can be developed. The first step in starting this process is to set up a set of vital questions that need answers. A few sample questions that could be asked that pertains to data backup, data archiving, and data recovery are as follows:
* What information needs protection?
* Distinguish active/pertinent information from old useless information
* How long can the business survive without its data?
* What is the cost to the company for each hour that the system is down?
* Is the business’s infrastructure set up for true backup and recovery?
* Is the business’s backup media reliable? Can you ensure that that backed up data can be recovered successfully at a future date?
* What is the time frame that the backups should be stored (according to business requirements/legislative requirements)?
Gaf Khan
In the Web 2.0 world – where networks lack clear boundaries – organisations have little excuse for not formally educating their employees about what the enterprise considers to be acceptable use of social media, collaborative tools and applications, and mobile devices. Internal hosting of these types of applications, which more companies are doing, can also reduce risk.
Organisations need to embrace new technologies to stay competitive and retain their employees. However, they must first take time to create enlightened security policies and to embrace a new breed of security tools that are capable of enforcing them.
One defence against social media threats is to incorporate real-time intelligence about the source of Internet traffic, instead of local inspection of network threats only.
Catalin Cosoi
Each computer should be protected by a personal password, known only by its user or a biometric authentication module. All employees must be trained at least once a few months by a security specialist with reference to data security. And because anyone has access to them, great attention should be paid to the use of removable storage devices, such as hard-disk drives, flash drives, and memory cards. They are the main infection vector for worms which may open the door to other categories of malware, such as Trojans and viruses that might spread throughout the company network and exploit it for commercial or financial gain.
The company’s mail server is one of the most sensitive links with the outer world, including your customers. New business opportunities, accounts, sales reports, newsletters, and confidential attachments act like honey pots to cyber-criminals, so they might force their way through poorly secured mail servers. E-mail is also a significant vector for various worms and Trojans. Poor or no antispam filters installed on the e-mail server might open the doors to significant amounts of spam with various e-threats attached to messages.
Updates and backups are also critical aspects when tackling company security. Customer data, internal processes and other company-specific information are key elements. However, given the fact that we refer here to small businesses that most probably do not have a full time IT specialist, it is mandatory that an IT company be hired to regularly perform backups and if possible educate the personnel with reference to the use of IT related activities for safety purposes. Security audits are mandatory, as well.
Gareth de Laporte
Backup, firewalls, end-point security, encryption methodologies, anti-virus and anti-phishing technologies. They normally consult security/data protection vendors first or alternatively reseller organisations who specialise in this field. There are many consultants in the SA market who can offer security services and consulting.
Hedley Hurwitz
The questions to ask include:
* Where am I at risk?
* What data do I have that needs protecting?
* Where is that data stored?
These questions can only be asked, however, once the business has understood the absolute need to implement processes and solutions that classify data according to sensitivity, which will determine what protection measures need to be implemented to secure it. In addition, the company needs to find all the data it has. There is a frightening amount of sensitive data stored on PCs, laptops and mobile devices, that needs to be protected by more than a password.
Hi-Tech Security Solutions: What can be done to effectively protect against the myriad ways to steal data: social networking, social engineering, USB or cellphone attachments and malware, e-mail etc.
Ugan Naidoo
In the modern day and age, such threats are more evident and a common practice is to employ data leak prevention countermeasures. The data leak prevention measures ensure that a wide range of data activities are monitored and a wide range of response actions are provided to the organisation to help ensure that an acceptable level of business continuity and risk remediation is attained.
In most cases far too many people are privy to information that is far beyond the scope that their jobs require. A possible solution to this will be restricting the information content to that which is required by their job functions ie, role-based access control.
Gaf Khan
A key threat is recycling of passwords. The rise of social media and cloud computing is exacerbating the password problem and making it easier to make predictable guesses about passwords. Fatigued employees, tired of coming up with a dozen or more unique passwords, may simply create passwords that are only slightly different from each other – perhaps by adding a number to the end of a name. Or, worse, they will just use the same passwords over and over again.
To combat this problem, corporate IT departments can implement password manager solutions that collect all necessary passwords, encrypt them, and make it easy for users to access programs without having to remember passwords.
Hedley Hurwitz
This depends on what processes and solutions the organisation already has in place. Identity management is a crucial part of the solution, as is data classification, device protection and monitoring all vulnerable points. Companies must protect and monitor their workstations, as this is where the greatest vulnerability lies for most companies.
Hi-Tech Security Solutions: What are the future trends in data security? Integrated offerings? Biometric access? What will be common in business in three to five years?
Ugan Naidoo
Biometric authentication will be pivotal to businesses securing their resources and a fairly new innovative solution for biometric authentication is the keystroke dynamic authentication, where the user’s keystroke manner and rhythm are recorded and subsequently used to authenticate the user. Keystroke rhythms of a user are measured and captured during a registration phase in order to develop a unique biometric template of the users typing style.
Key uses of such a biometric authentication mechanism either to prevent fraud or enforce policy are as follows:
* Online exam/test fraud – this involves users providing their log-on credentials to someone else to take the exam/test on their behalf.
* Website contraventions – this involves users that share their log on credentials with other people who seek access to paid content websites
* Destructive intent – this involves hacker-based fraud where the hacker obtains the user’s credentials and attempts to utilise it for malicious intent.
* Legislative mandates – this involves the mandated use of multifactor authentication by either the business or government
Gaf Khan
The main trend in the security market is towards convergence of the technology and away from point solutions. Security is being driven into two distinct areas, the application and the fabric of the network. As management becomes more critical and the scope of the task becomes more challenging, managing security over not just the wired, but the unwired network, security managers now have to embrace emerging technologies like unified communications, physical security, data centre, video telepresence as well as wireless.
Catalin Cosoi
The security industry is continuously evolving to catch up with consumers’ needs. Biometric access is an already widely spread technology in high-end notebooks and ultra-portable computers. On-the-fly data encryption embedded directly in hardware, as well as online tracking for stolen computers are some of the new technologies expected to become mainstream in the next two years.
Hedley Hurwitz
Biometrics will become more important. Microsoft is building biometrics into its operating system, which will make it easier for more companies to implement better control than the current password system. As mentioned before, finding data and classifying it according to sensitivity has also become important.
However, technology aside, identity management will be the primary key to effective data security in the future. All data access policies and processes will be linked to an identity. Not all employees will need to have in-depth identity verification processes, but those with access to sensitive data will need more secure authentication procedures than those accessing less sensitive information.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.