Information security handles the protection of digital privacy of critical data of businesses, organizations, and individuals. It includes various preventive methods for restricting unauthorized access to databases, systems, machines, and networks.
Security measures include but are not restricted to data backups, encryption, DLP planning, digital rights management, and more. This article discusses ten things that you need to be doing in 2017 to ensure your data is secure.
1. Secure Data Backups
Data encryption is only one of the ways to secure a backup. Enforcing a proper service account usage is an essential part of protecting data. Service accounts pose a threat to data security as they provide access to the same data that’s being stored in the backup. Relying on a local system account or a dedicated service account is the best option when setting up your backup service profile.
To minimize the risk of data loss during an account hijacking, administrators are also recommended to set up separate accounts for day-to-day use and important backups. Using the same service account for multiple application backups creates a security hole that prohibits the execution of a proper account usage audit in case of a security breach. Best practices advice that administrators create separate accounts for each application backup and designating them to specific employees. Establishing a role-based data access facilitates auditing during an attack.
2. Improve Password-Based Data Protection
Password-based data protection is a convenient, yet, archaic method of authentication that continues to be used despite the development of more advanced techniques. Gaining a better understanding of the encryption processes and possible attacks is paramount for choosing a secure cloud storage provider. Recent security breaches at large social media outlets, like LinkedIn and Facebook, are a confirmation of the need for better password security. They pose an important lesson about the significance of making educated choices when securing a cloud-based account.
Testing the security strength of a cloud provider with the “password reset” method is a quick way to tell how well data is protected on the site. If the password is emailed back in plain text, that’s a clear sign that the cloud provider doesn’t use any encryption. The restriction of special characters in a password is also a tell-tale sign of a low account security since some SQL databases interpret special characters as functions and limit their use in passwords.
One-way cryptographic hashes, until recently used by the hacked websites listed above, can be easily cracked with rainbow tables. With the tables providing a list of pre-computed hashes, attacks become a simple comparison process between the hashes and the rainbow tables. Most modern gaming computers have the graphic processing units required to easily decrypt one-way hashes, thus, a more complex password encryption is necessary. Salted hashes are an adequate response to these attacks as they add randomly generated information that cannot be pre-computed.
The two-step password authentication provides an additional layer of security that requires users to connect to a device or prove their identity with the use of another physical object, such as a device, a USB drive, a token, etc. More advanced two-factor authentication methods use retina scanning, face recognition, fingerprint scanning and even DNA as a confirmation of the identity of the user and provide an almost impossible to penetrate security level.
3. Consider The Losses and Outweighs of a System Shutdown
System shutdowns are sometimes necessary to prevent a worm from infecting multiple local systems. Despite posing a risk for the business, they should be considered in the development of a business continuity plan and a disaster recovery plan.
During an external system security breach, shutting down a system may lead to losses of valuable data that could later aid the investigation of the attack. In such cases, unplugging the network connection is the most advisable option as it provides an opportunity for the admins terminate the breach without erasing the footpaths left by the hack.
The disaster recovery and business continuity plans must weigh out the risks and avails of a system shutdown. Detailed instructions on making an informed decision in the case of a security threat are also a mandatory addition to the DRP and BC plan. The business impact analysis should examine the potential losses for the organization during a system shutdown. It should be noted that the costs of a data recovery, system patching, and configuration changes can, in some cases, exceed the damage made by a security breach. Hence, decisions about whether or not a system should be shut down during an attack should be made based on the BIA.
4. Establish a Data Loss Prevention Plan
Data loss prevention is a strategy that deals with the prevention of potential data leakage from internal sources. The DLP is focused on intentional and malicious insider data breaches that may put critical company information in the wrong hands.
The extrusion prevention can be carried out with the help of specialized DLP software that prevents employees from leaking important data outside the authorized company systems. It terminates processes like uploading business documents on open data clouds like Filezilla, Dropbox, and others. It also limits email forwarding to addresses outside the business domain. The data loss prevention software can monitor and control activities, filter data streams on the company network and protect data from being exported to unauthorized data clouds.
5. Use Digital Rights Management Tools
The digital rights management (DRM) is a systematic approach that prevents the unauthorized distribution of digital media. It protects data from being duplicated and exploited by end users by implementing an embeddable code that defines the file’s regulations of use. The digital and information rights management tools are used to enforce copyright protection laws. Yet, they cannot fully prevent data theft.
The DRM requires the specification of a time period of permitted use and indicated the accessibility limitations of the file but are useless against keyloggers, screen captures, and copy-paste methods. Still, they assist in manual and software performed checks of suspicious data usage.
6. Rely on Secure File-Sharing Services
Cloud-based data security does not rely solely on establishing a strong password. Prevention methods include account strategies that aim to minimize data loss by systematically organizing data accessibility to specified accounts.
The first step of securing data that’s shared on a cloud server is separating personal and business accounts. According to a recent study by the Ponemon Institute, 35 percent of data breaches are attributed to negligence by employees and contractors. The correct account and data organization can protect company data from being involuntary shared to unauthorized users.
Corporate-grade file-sharing plans provide greater data security that personal plans and should be considered by companies that want to limit dangerous file-sharing activities by employees in unauthorized cloud storage providers. It’s advisable that critical company data should be shared only via secure cloud service providers who rely on advanced data encryption methods and two-factor user authentication.
The recent popularity burst of the BYOD policy requires additional security measures that aim to separate company data and personal devices as much as possible. It’s recommended that the installation of P2P servers and software is strictly prohibited especially when employees have access to privileged company information and applications through their own devices.
7. Provide Adequate Physical Security for Your Company Data
Ensuring the physical security of critical data is another mandatory procedure that business entities need to enforce. The establishment of a disaster recovery site in a tolerable proximity to the main data center provides an additional security tier that minimizes the risk of data loss during a planned attack or a natural disaster. The disaster recovery site must be easily accessible by authorized personnel. The entry monitoring and the use of electronic chip keys facilitate audits during breaches. Remote surveillance is essential for the protection of the disaster recovery site.Outside personnel should receive as little information as possible about the designation of the site. The building and entrances should not indicate the existence of a data center. In many cases, data centers are actually established in low-profile buildings, like old warehouses and abandoned constructions, that would rarely be targeted or suspected by potential attackers.
8. Prevent DoS and DDoS Attacks
The Denial of Services attack, also known as DoS, limits the accessibility of users to services and information by flooding the servers with fake requests. Unlike other attack strategies, the DoS attack doesn’t actually breach the targeted network. Instead, it overwhelms it with traffic until it becomes completely inaccessible due to bandwidth limitations or various server errors. DoS attacks use a single machine that sends out a large number of requests to the targeted server via internet control message protocol flooding or HTTP requests. Blocking the originating IP address and killing the hypertext transfer protocol requests can easily stop the attack, once it’s spotted. Modern security software and web servers can be configured to detect and prevent ICMP flooding, thus, the DoS strategy is now rarely undertaken by attackers.
The distributed denial of services attack is an advanced version of the DoS attack that overwhelms the victim’s network with series of requests by thousands of infected PCs from all around the world. These attacks are executed by botnets which contain a number of hacked machines which are infected with a silent, background-run software that overtakes certain functions and conducts requests towards the targeted network on behalf of the attacker. Botnet attacks rely on a large resource base of infected computers which significantly increases the black market prices for running an entire DDoS attack campaign. Despite being incredibly difficult to stop, the DDoS attack has high maintenance costs which makes attacks towards small companies a rare occurrence. Measures against DDoS attacks include bandwidth expansion and the use of SYN cookies which track incoming TCP connections.
9. Evade Advanced Persistent Threats ( APTs )
Most data attacks aim to create a quick data breach and minimize the execution time of the attack to prevent detection. Unlike them, the goal of the advanced persistent threat is a network is to stay undetected for as long as possible. The APT’s intention is not to damage systems but rather steal data throughout an extended course of time.
APTs are executed with the use of the spear phishing technique that uses social engineering to gain access to a network and establish a backdoor.
Spear phishing messages are usually disguised as trusted sources, like PayPal system messages, emails of large company CEOs, government institutions, and sometimes celebrities. Attackers use freely distributed information about a company or person to create a genuinely looking message by adding the company name, headquarters address, and more. The phishing emails usually contain a link to a dummy website that requests a password confirmation, encourages the recipient to upgrade a certain software application or download a file to further investigate a concerning issue. Once the attacker gains the necessary information, he created a backdoor in the network and silently seeks ways to breach other critical accounts to expand his reach.
APT attacks can sometimes be detected by security software but gaining a better understanding of the tactics and methods for running an advanced persistent threat attack is considered to be the best preventive measure.
10. Use Secure Application Programming Interfaces
The API is a set of functions for interacting with a specific software service. An API may gain access to profile information and execute various actions such as publishing, sending social signals, logging into a system, distributing data to third parties, and many others.
API development often goes without considering the risks of a security breach. Yet, bad API code often created an open door for attackers to gain access to user accounts and establish data breaches by locating inconveniently placed security data within the code and documentation of the API. Fuzing and black-box testing are necessary for preventing standard injection flaws. The incorrect implementation of SSL when accessing the API from a non-browser application often leads to security errors which bypass data encryption.