|Home - Industry Article - Nov 07 Issue
Holistic Security – It’s the Enterprise Not the Application
By Gordon Rapkin, CEO, Protegrity
Millions of words have been written about the best software to use, the correct policies to implement. Conferences are held, experts pontificate. Governments and industries pass regulations. We have the tools, the knowledge, and the impetus to lock down systems and data. The only thing we don’t have is real security. Here’s why.
Businesses spend billions every year to secure computer networks and digital data. So why do serious security breaches continue to happen?
Every week seems to bring news of a new incident – the hard drive containing medical records that was purchased on eBay, the employment website whose online database was penetrated exposing personal information belonging to at least 1.3 million people, the stolen backup tapes containing state agency bank account information worth millions of dollars, the malicious hackers who grabbed 6.2 million customer names, email addresses and phone numbers from an online trading company’s database…those are just a few of the recent, high-profile breaches.
Breaches will continue to occur until we retire old-fashioned ideas about security. Many businesses who suffer a serious security violation had deployed protective systems in a rather random patchwork approach with heavy emphasis on protecting the network from outside attackers. We need to move past the model of network perimeters, an idea that obviously hasn’t worked, and focus our attention on creating a holistic multi-layered defense system which includes people, policies and procedures, and a corporate culture centered on security.
The time to address this problem is now. Cyber crime is getting uglier and far more prevalent. The Computing Technology Industry Association’s recent study on data security breaches found that among companies that reported a security breach in the last year the average severity level of the incident was ranked 4.8 on a scale of 0 to 10 (very severe). In 2006, the average severity level was 2.3.
The bottom line is that we simply can’t rely on applications to do all the work for us. You can’t just throw money at the problem and hope it will go away. Smart policies, procedures and people are just as important as choosing the right security solution.
Creating a Culture of Security
Too many businesses have made security solely an IT problem. To be effective, security has to be everyone's problem and the processes that support real security need to be embraced by everyone from the summer intern to the CEO. And until businesses focus on creating a culture of security, until employees understand exactly how and why to protect networks and digital assets, systems and data will be far too vulnerable to attack.
Consider These Statistics
More than sixty percent of the major security breaches that occurred in the last twenty-five years can be directly attributed to mistakes made by the organization that suffered the breach, according to a study conducted by the University of Washington, Seattle. These errors included accidentally exposing personal information online, lost backup tapes, lack of physical security for equipment and administrative errors. Outsiders who’d managed to penetrate the network perimeter caused only 31% of the incidents.
The University of Washington study also found that electronic records in the United States are being compromised at the rate of 6 million a month in 2007, up some 200,000 a month from 2006.
A recent study released by the IT Policy Compliance Group indicated that human error is the overwhelming cause of sensitive data loss – contributing to 75% of all occurrences while malicious hacking activity amounted to just 20% of data losses.
In the Deloitte Touche Tohmatsu 2007 Global Security Survey, which included many of the top financial services firms, 79 percent of those polled said that human error was the cause for information security failures. Yet 22 percent of respondents said they provided no employee security training over the past year and only 30 percent believed their staff had sufficient understanding of security issues.
The most important and effective security project that a company can undertake is the creation of a corporate culture centered on security. Security consciousness needs to be hard-wired into our policies and procedures and embedded into everything we do.
When companies have an embedded culture, everything that people in that company do naturally reflects that culture. Some companies pride themselves on innovation, customer service, or the quality of the products they offer. All businesses now need to move towards taking pride in the security of their network and data and become truly proactive about security, rather than worrying about it only after their customers personal information has been exposed to criminals.
Policies and procedures need to be implemented and clearly communicated to keep people from mindlessly doing dangerous things with, and to, sensitive data. But simply devising policies isn't enough. Security measures that aren’t understood and fully embraced across the enterprise can and will be circumvented.
When people understand the value of security, as well as how to protect data, their entire approach and outlook changes. One of the most positive steps an enterprise can make is to institute ongoing security awareness training for employees. Ensure that all employees understand how to identify confidential information, the importance of protecting data and systems, how to choose and protect passwords, acceptable use of system resources, email, the company’s security policies and procedures, and how to spot scams. New employees should be required to complete a security orientation before they are given access to the network. Security training should not be generic, but should instead be targeted to an employee’s role in the company with refresher courses bi-annually, or more frequently depending on the person’s role in the company and their access to sensitive data. Employees can be alerted to new threats and issues by way of a monthly newsletter, RSS feed, and/or emails from IT.
Every organization should also have an established incident response and reporting policy. This policy enables employees and executives to determine the severity of an incident and the inherent risk quickly. The policy needs to state who the incident or an employee’s concerns should be reported to – for example, supervisors, legal, marketing and/or IT – and how it should be resolved. Your security policy should also detail how an employee should report requests for information and other incidents that they feel are suspicious or just somehow not right – this information should be noted and tracked. Never make an employee feel silly for reporting anything he or she finds suspicious. The easiest way to do this is often to set up an email address that employees can use to report potential problems such as email@example.com .
After a security incident has been resolved, the organization should review their policy to determine if changes need to be made. How did the incident occur? Were we able to resolve it successfully? Implement the necessary change management and move on.
Policies and procedures should be enforced by technology controls such as role-based access, database encryption and auditing tools to ensure that everyone is following the rules and to protect data from misuse and/or exposure even if the rules are broken. By making these issues a matter of policy, an employee can deny requests without feeling that they are being unhelpful or could get into trouble with higher-ups. Automated enforcement and monitoring of policies takes the onus off employees – they no longer need to make judgment calls nor can they be pressured, bullied or coerced into responding to requests for data that could provide an attacker with a virtual key into company systems.
Bear in mind that it is quite possible to develop policies that are so rigid that employees resent them and actively look for ways to thwart the policy. It’s best to develop policies in tandem with representatives from throughout the company. Each of your employees is a stakeholder in security and should feel as if he or she is a valued participant in protecting company data, not a mistrusted child who is being watched and controlled every moment of the day.
Security Change Management
Eyebrows raised in IT departments around the world when TJX Companies Inc, the parent company of discount retail outlets, reported in a filing to the U.S. Federal Securities & Exchange Commission that the company ‘believe(s) that the intruder had access to the decryption tool for the encryption software utilized by TJX.’
After the extended attack on the TJX network in which 45.7 million credit and debit cards were exposed to criminals, security experts initially assumed that TJX wasn’t encrypting stored data. Now it seems that at least some of the stored data was encrypted, and the much-touted ‘last line of database defense’ had failed.
Or did it? Information on what really happened inside TJX’s systems is still thin, but media reports indicate it all started in a Minnesota parking lot. Someone aimed a small antenna towards a store and easily grabbed customer data as it moved between hand-held devices to cash registers and into the store’s computers. Some of the information they captured may have allowed them to pry open the encrypted data.
TJX apparently also had a mix of secured and unsecured systems, with some data on some systems encrypted and some not, some systems regularly purged of old data on a monthly basis and others apparently storing customer information that should have been deleted years ago. The attacker was, according to the SEC filing, also able to install malicious software that captured data before it was deleted and was also apparently able to grab payment card data during the approval process as it was being transmitted sans encryption.
The tale of TJX contains many useful lessons to be learned – among the most important is that software-based security measures need to be deployed across the entire system in order to be effective. This may be a real chore in a huge network like TJX’s, but sprawling and distributed systems are a fact of life now, and one we all have to learn to handle. Data must be encrypted when it is captured, transmitted and at rest or encryption will not fully protect data.
Tracking data as it moves across a network is often far from a straightforward task. It’s likely that an audit of many networks would reveal sensitive personal data tucked away in places that you’d never expect to find it, stored unprotected in applications and databases across the network.
A critical first step in any data security project is to conduct a full audit of the entire system and identify all the points and places where sensitive data is processed, transmitted and stored. Data flows through a company and into and out of numerous applications and systems. It is precisely this flow that needs to be the focus of a holistic approach. Look at data flow as a municipal transit system – the system is not just about the station platforms, the tracks and the switches are just as critical. Many companies approach security as if they are trying to secure the station platforms, but lose sight of the importance of securing the flow of information.
Additionally all systems should be monitored for malicious activity and swept for malware and other potentially dangerous software on a regular basis. It’s amazing that TJX’s system harbored malware for about 18 months without detection.
TJX’s security breach has already cost the company $17 million and will ultimately cost TJX and their payment partners at least $1.6 billion, according to an analysis performed by Protegrity. Data is the currency of modern business, and it’s time we started getting serious about protecting it. Consider this scary statistic: Right now seven out of ten companies lose, or have sensitive data stolen from them ‘six times a year,’ according to research from the IT Policy Compliance Group. Misplaced or stolen computing devices and storage media, user errors, security policy violations and direct attacks on databases and web services were among the top reasons cited for this data drain.
As businesses and agencies continue to move services onto the web, it’s critical to extend protection past the internal network perimeter – the classic focus of all security efforts – and protect all public-facing applications, which act as a conduit to the internal network and stored date. Websites and web-enabled applications, particularly those that collect data or allow access to internal databases, must be very carefully reviewed and thoroughly tested – preferably by an outside expert – to help ensure that no exploitable security flaws exist.
Then, to protect against brand new vulnerabilities, deploy a web application firewall to ward off threats and control any abnormal activity – such as a sudden rush of users or demands for information – that can overwhelm or crash an application or server operating system and open it up to an attack. Properly defended web applications allow outside users to access internal applications and selected segments of databases, enabling effective communication and service offerings while ensuring that both users and owners are protected from criminal attacks and privacy violations.
Some of the companies polled by the IT Policy Compliance Group for their survey weren’t regularly losing data. These companies all had one thing in common: they used multiple methods – user training, strengthened security policies and compliance screening, threat monitoring and targeted application protections, network and user access controls, encryption and system auditing – to protect against data loss. You should do the same. Think holistic and your systems are bound to become significantly more secure.
Gordon O. Rapkin is President and CEO of Protegrity, the leader in enterprise data security management that delivers centralized data security management solutions that protect sensitive information from acquisition to deletion across the enterprise. He joined Protegrity in June 2004, bringing more than 20 years of wide-ranging experience as an executive in the software industry. Prior to joining Protegrity, Gordon held executive positions at Transcentive, Inc., Decisionoism, Inc., where he was CEO for four years, and at Hyperion Solutions, Inc. As a key member of the executive teams, he was instrumental in guiding each through successive years of extraordinary growth and success. Gordon holds a degree in Biochemistry from Syracuse University, as well as an MBA and a Law degree, both from Emory University. For article feedback, contact Gordon at firstname.lastname@example.org