Staying ahead of the ever-evolving threat of a data breach requires diligence on the part of the stakeholders in understanding and anticipating the risks, associated with data privacy, confidentiality, and security.
Advancements in information technology (IT) have raised concerns about the risks to data associated with weak IT security, including vulnerability to ransomware, viruses and malware attacks that will compromise the integrity, and availability of the data due to unauthorized access to network systems and services.
Understanding the vast array of threats is the first step in ensuring adequate protection of sensitive data. All networks are vulnerable to cyber security threats. A comprehensive data security program is essential for mitigating these threats and preventing a data breach.
A holistic approach to data security begins with understanding the network, its architecture, user population, and mission requirements. Security risks for networks with large user populations and networks connected to the internet are particularly high.
Once the risks have been assessed and organizational security policies specified, a security architecture should be designed and a security plan implemented. Consistent implementation of the security plan will reduce susceptibility to cyber threats and increase the overall security of an organization’s data.
► Security Threats To Information Systems: Non-Technical
♦♦ Insider. An insider is defined as someone with legitimate access to the network. Because information accessed by insiders can be easily stolen, copied, deleted, misfiled, or changed, insider threats can be some of the most damaging, regardless of whether they occur due to user carelessness or malicious attempts.
♦ Mitigation: To mitigate this type of threat, establish and enforce a well-defined privilege rights management system, restricting users’ access to certain information and allowing them to only perform specific functions. Audit programs are useful in enforcing access controls and monitoring suspicious activity. In addition, it is recommended that organizations conduct annual training and awareness programs to educate users about insider threats.
♦♦ Poor Passwords. Implementing a policy on strong user passwords / passphrases is critical to data protection. It is especially important for users with access to the most sensitive information.
Modern password-cracking programs can easily break weak passwords, such as those containing common words or word groups found in a dictionary. For this reason, user-selected passwords are generally considered to be weaker than randomly-generated passwords.
User-generated passwords often follow a predictable pattern or association to something in the user’s life (city, family, or pet names for example) and are therefore more vulnerable to password-cracking programs. While randomly-generated passwords may be harder to remember, they are relatively more secure.
♦ Mitigation: Use a professional password-generating program as an enterprise-level solution. A variety of highly-rated programs are available on the market. In addition to implementing procedures for generating strong passwords, train users on how to maintain the security of their passwords, which includes not keeping written passwords in the vicinity of the computer. For enhanced security, consider implementing more advanced authentication capabilities, such as multi-factor authentication.
♦♦ Physical Security. Physical security is essential to preventing unauthorized access to sensitive data as well as protecting an organization’s personnel and resources. An effective physical security system is an integral part of a comprehensive security program.
Physical safety measures include securing access to dedicated computers, server rooms, routers, printers, and any areas that process or store sensitive data.
♦ Mitigation: Establish and enforce a physical security system. Strong physical security includes access control policies and procedures; physical barriers (e.g., fences, doors, locks, safes, etc.); surveillance and alarm systems; and security breach notification, response, and system recovery procedures.
♦♦ Insufficient Backup And Recovery. Lack of a robust data backup and recovery solution puts an organization’s data at risk and undermines the effectiveness of its IT operations.
Data and system recovery capabilities allow an organization to reduce the risk of damage associated with a data breach. It is essential to conduct routine backups of critical data and store backup media in a safe and secure manner.
♦Mitigation: Establish an organizational policy and specify procedures for data backup, storage, and retrieval. Many advanced data and system backup and recovery tools are available on the market.
♦♦ Improper Destruction. Paper documents, such as reports and catalogs, may contain sensitive data. Unless these documents are destroyed properly, by shredding or incinerating, they may be salvaged and misused.
Discarded electronic devices, such as computers or portable drives, that have been used in processing and storing sensitive data, remain vulnerable unless the data are erased properly. A data breach can occur if recovery tools are used to extract improperly erased or overwritten data.
♦ Mitigation: Establish a policy for protecting or destroying no longer needed IT assets and media that may contain sensitive data. Several standards organizations offer guidelines that outline best practices for ensuring data are discarded properly.
♦♦ Social Media. Using organization’s devices and network resources to access social media websites poses a high data security threat. Social networking sites are often targeted by malware, receive a high degree of spam, and are frequently used to gain information for identity theft.
♦ Mitigation: Introduce and reinforce a policy forbidding access to some social media websites while using an organization’s resources and equipment. Train users about the security threats generated by visiting these sites. Organizations that allow access to social media websites should deploy a strong anti-virus and spam filtering solution.
♦♦ Social Engineering. Breaking into a network does not require technical skills. Access to sensitive information can be gained by manipulating legitimate users after securing their trust.
Caution should be advised when communicating any account or network information. This involves making sure the requester is well-known to the user and has a legitimate reason for this information.
Socially engineered attacks are the means for some hackers to gain passwords, access codes, IP addresses, router or server names, and other information that can be exploited to break into a network.
♦ Mitigation: Train users to increase their awareness about social engineering threats and educate them on how to avoid being manipulated. For example, users should be instructed to use caution when someone inquires about their account information or technical information about the network, especially if this person claims to be a network administrator.
Waksman, Adam; Sethumadhavan, Simha (2011), “Silencing Hardware Backdoors” (PDF), Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California
“What is Data Obfuscation”. Retrieved 1 March 2016.
“data masking”. Retrieved 29 July 2016.
“data protection act”. Retrieved 29 July 2016.
Peter Fleischer, Jane Horvath, Shuman Ghosemajumder (2008). “Celebrating data privacy”. Google Blog. Retrieved 12 August 2011.
“PCI DSS Definition”. Retrieved 1 March 2016.
“The Myth of the Average User: Improving Privacy and Security Systems through Individualization (NSPW ’15) | BLUES”. blues.cs.berkeley.edu. Retrieved 2016-03-11.
Data Recovery Solutions:
Anti-Virus / Anti-Malware Solutions: