How will your company respond if an incident does happen? Spiezle offered the following advice on developing a strong plan for acting in the wake of a data breach.
1. What Data Do You Have? The first step is to fully understand the kinds of customer information your company is handling and storing–and why. It might sound obvious, but according to Spiezle, breaches often expose how little an organization knows about its data. “I’ve gone through a lot of breach responses with companies where people are literally sitting around a table saying ‘I had no idea we were doing that,'” Spiezle said. That can exponentially complicate matters when a data-loss event occurs–you can’t very well determine the consequences and communicate them appropriately if you don’t know what was at stake in the first place. Assess the kinds of data you have, who has access to it, and why.
The general rule of thumb: Limit access to those who need it for legitimate business reasons. Put a particularly high burden of proof on the case for storing sensitive customer information on laptops, external drives, mobile devices, and other hardware that can be easily lost or stolen.
2. What Are Your Regulatory Requirements? Spiezle is quick to note that this is one of the toughest data-breach challenges for SMBs that lack a compliance officer–much less an entire compliance staff–or that rely on IT generalists rather than information security specialists. But your regulatory requirements will dictate what you must do in data-breach scenarios. These are defined by the likes of HIPAA or PCI, but Spiezle noted that 46 states also now have some form of reporting requirements.
Alas, while there are vendors that can help, there’s no central online destination for companies to assess all of their compliance requirements. Spiezle thinks federal legislation could help. “It is a very complex issue, and [it] again underscores the importance of pre-planning,” he said.
Bonus advice: Be proactive. If you do seek help from a vendor, Spiezle pointed out that it’s much better to do this when you don’t already have a problem–it’s tough to get the best terms if you’re negotiating at 3 a.m. on a Saturday after a breach has already occurred.
3. Who Will You Notify? Knowing who you’ll need to communicate with can help lead to faster, more effective responses to data-loss events. Identify those groups before something goes wrong. “This might be partners, customers, [or] government agencies,” Spiezle said. He noted that some companies develop relationships with appropriate law enforcement agencies in advance so that they know the proper people to contact in the event of a data breach. Consider it the business equivalent of keeping a list of emergency contact numbers near your home phone.
4. When Will You Notify Them? This is a tricky and much-debated area: How soon should you notify affected customers and other stakeholders? Spiezle said it’s a case-by-case decision. With law enforcement or other government agencies, it’s usually an ASAP scenario. Customers and partners are a tougher call. On the one hand, Spiezle said, you don’t want them to find out from the media or other external sources. On the other hand, you don’t want to make things worse by communicating inaccurate information, which can happen if you act too quickly. Some of this decision may be guided the regulatory requirements your company operates under, too. Rule of thumb: Communicate as quickly as possible without sacrificing the clarity and accuracy of the information you provide.
5. What Will You Say? One way to cut down your response time and outreach efforts: Prepare your customer and other external communications in advance. This gets back to the importance of Tip 1–it’s tough to accurately message a breach if you don’t know what data you had in the first place. If you’ve got a complete understanding of your information and how you handle it, you can develop solid communications templates in advance.
Author Archives: admin
WhiteHat Security Statics Report 2012
WhiteHat’s 12th Website Security Statistics Report represents far and away the largest amount of data we’ve ever
Within this report we are very excited by the introduction of two new industries, Energy and Non-Profit. Historically,
KEY FINDINGS IN 2011
1. The average number of serious* vulnerabilities found per website per year was 79, a
significant reduction from 230 in 2010 and down from 1,111 in 2007.
2. Cross-Site Scripting reclaimed its title as the most prevalent website vulnerability, identified in 55% of websites.
3. Web Application Firewalls could have helped mitigate the risk of at least 71% of all custom Web application vulnerabilities identified.
4.There was notable improvement across all verticals, but Banking websites possessed the fewest amount of security issues of any industry with an average of 17 serious* vulnerabilities identified per website.
5. Serious* vulnerabilities were fixed in an average of 38 days or faster, a vast improvement over the 116 days it took during 2010.
6. The overall percentage of serious* vulnerabilities that were fixed was 63%, up from 53% in 2010, and a marked improvement from 2007 when it was just 35%. A rough 7% average improvement per year over each of the last four years.
7. The higher severity that a vulnerability has, the higher the likelihood that the vulnerability will reopen. Urgent: 23%, Critical: 22%, High: 15%.
8. The average number of days a website was exposed to at least one serious* vulnerability improved slightly to 231 days in 2011, from 233 days in 2010. Find full report here
How to Improve your network security
“There are the ones that value technology and see it as a strategic advantage in their environment, and they’ll invest heavily in it. There are the ones that know they need it and they’re willing to invest where they need to,” says Rick Norberg, president of Atrion Networking SMB, an IT service provider. “And then there are the ones that just see it as the cost of doing business. And those are the ones that tend to be unprotected, unmanaged and dedicate inadequate staff resources in order to plan through security.”
Don’t get pegged in that third group, Norberg warns. According to Norberg and several other IT experts, there are a number of ways to revamp your thinking and your network design for better IT functionality and improved security. Here’s where they say to start.
Build Backward from Mandates
According to Norberg, before designing your network it’s important to take a step back and think about a couple of critical variables, including:
What vertical you operate in;
What compliance mandates you answer to;
Where you want technology to take the company in the next three years.
Then design back from there, he suggests. When taken into consideration early in the design process, these elements should have significant bearing on the choices you make in infrastructure and deployment options.
“Sometimes, people will just buy cheap switches, network gear, firewalls and things like that because they’re inexpensive. And they throw them in,” says Norberg. “Then when they have a breach, they realize they just paid a zillion dollars to the government or to a credit card company or something like that in order to remediate it. And then they have to go buy the more expensive gear anyway. Taking an ‘it can’t happen to me’ approach is probably not the best way to design a system.”
Know Where Data Sits
One of the biggest weaknesses of many organizations is the lack of visibility into where exactly important data sits on the network.
Scott Laliberte, managing director at global business consulting and auditing firm Protiviti, says, “Among the things that clients we are working with are spending more time on is not only data leakage prevention–making sure it doesn’t go out on the front end–but also what I call ‘data discovery,’ which is being more confident and clear on where the data for sensitive information really does reside and then organizing it in such a way that you can manage it in a segmented way.”
According to a Protiviti survey earlier this year, organizations still struggle with data discovery and classification–just 50% of respondents said they have a specific plan in place to categorize data. And according to Laliberte, when he engages with clients to do data discovery on their network for the first time, surprises are common.
“In almost every instance there is a surprise found by the client as to where some of the sensitive data is,” he says.
Next: The Importance of Modularity, Firewalls and Patches
Modularity Is the Name of the Game
The more modular you can design a network, the easier it is to control and monitor traffic, according to Norberg.
“You want a network that you’re able to functionally monitor and secure, so you’re controlling the traffic on the network. You want one that can grow with the users,” he says. “A lot of times, you start with a flat network and then you start to modularize the phone traffic, the PC traffic and, if they’re in a retail environment, some of the POS terminals to make sure they’re secure and separated from each other. And then you want to get more granular from there.”
When done efficiently, network segmentation and modularity give a lot more flexibility in prioritizing risky segments of the network so you can focus your monitoring and security efforts on the most critical areas rather than having to worry about all of the infrastructure in aggregate. That’s a step up from what most organizations are used to, says Norberg.
“Traditionally, you might just slap a firewall into there and when it goes down, the customer calls you,” he says. “These days, we’re actually looking at the logs and doing proactive monitoring on the devices to make sure that they’re not only secured and updated with the latest firmware, but you’re also looking at what’s happening with the firewall and the connection itself.”
Manage Firewalls More Intelligently
Speaking of firewalls, organizations have to take an active management approach to their firewall rules if they’re going to get the most out of these assets. With most enterprises today depending on thousands of firewalls dispersed throughout their network fabric, firewall management has become an important element both for efficient IT operations and effective IT security.
“The core of network complexity begins with a firewall,” says Kevin Beaver, founder and principal information security consultant at Principle Logic.
Beaver says that, all too often, he sees organizations that believe that their security is OK. However, once he starts digging into their firewall rule sets and configurations, security holes are discovered.
“[We find] system configuration problems, weak passwords, network segments that shouldn’t be talking to one another, ports that are open,” he says. “I often see database servers that are sitting out on the public Internet wide open for attack.”
Patch
Patch management isn’t just for endpoints. Smart organizations need to have utilities in place that can automate system patching across all IT infrastructure.
“If I’m the IT director for the company, I want to make sure I’m using every tool capable of doing updating firmware and software on an immediate basis and alerting and reporting on it,” says Norberg. “Generally, you want to buy a third-party product that’s capable of doing more than just one particular manufacturer. Otherwise, you run into problems where you’ve got some of this gear, some of that gear, some of these servers, and then you end up spending a lot of your time not being very efficient in the way you’re patching things.”
source
Apple guide to iOS Security
“Apple designed the iOS platform with security at its core. Keeping information secure on mobile devices is critical for any user, whether they’re accessing corporate or customer information or storing personal photos, banking information, and addresses….
For organizations considering the security of iOS devices, it is helpful to understand how the built-in security features work together to provide a secure mobile computing platform.”