CxOs, here's a proposal: Make three New Year's resolutions that keep your organization out of embarrassing, costly, reputation-ruining data-breach headlines.
2012: What a sorry year for data bungling. This year, how about you stop &^%$ing around?
According to the Privacy Rights Clearinghouse, there were 27,449,573—yes, that's right, 27½ million—records potentially compromised in 678 publicly reported breaches during 2012.
Surprising, this is not. A recent survey of 355 IT professionals found that 88% don't protect their databases from both external and internal threats, while nearly one-fifth do nothing whatsoever to protect their data.
So. You're a C-level or similar exec. What can you do about this?
You can take stock. You can come up with some data resolutions for the new year, such as getting your organization to take better care of data. Here are three specific, actionable suggestions from security experts:
1. Ask Security Vendors Gnarly Questions
Consider
In June 2011, hacktivist group LulzSec hacked the company's databases. The group claimed it exposed over 4.5 million customer records, using an extremely simple SQL injection—"one of the most primitive and common vulnerabilities," as the group noted in a statement at the time.
It's a vulnerability that should have been identified through a simple, routine test. So, what happened?
Adriel Desautels, CEO of network penetration company Netragard Inc., surmises that Sony either didn't test (unlikely), or those testing used an automated scanner that missed vulnerabilities. The problem is that automated scanners lack a dedicated human's ability to pick apart sites or infrastructures.
We see these security vendors as experts, but too often, they're just out to make a buck. Vendors might say that they do manual testing with a team of super-elite engineers. But how do you tell? How can you know if they're just reviewing an automated scan?
Here's how, Desautels says: You call testing firm XYZ and say, “Hey, I've got 10 IP addresses. How much for a pen test?” They come back and say it’ll cost $1,000.
That might sound like a fine, low-ball estimate. But bear in mind that one address could run zero web services, while another could offer up hundreds of virtualized applications. It might take 40 hours of solid work to test it.
Imagine all 10 of your IP addresses required 40 hours of work, since they all run extremely complicated systems. Now, divide it all up. Is XYZ allowing $2.50 per hour?
Bottom line: If your vendor is quoting simplistically, is it going to provide experts doing quality work? No, you'll be buying the automated scans that probably got Sony up a certain creek, paddleless.
2. Do an Inventory Before Asking for Quotes
A simple port scan using Nmap can tally services and web applications, while an analysis of their complexity using Burp should give IT staff an idea of what to expect in terms of workload and requirements, at least at a very rough level. (Both tools are free.)
That baseline information can help your business determine if an engagement is legitimate. (For more help in choosing a security vendor, Netragard published this whitepaper).
Another resource: As I described in this article on vetting security vendors, smart buyers nowadays are forcing security vendors to test or evaluate how secure their code and products are. Beyond relying on compliance or QSAs, some buyers and states are demanding some level of guarantee against failures.
For example, some states have contract language stipulating that if a vendor’s software falls victim to one of OWASP’s Top 10 list of Web application security vulnerabilities, there will be penalties.
3. Ask why You're Collecting all this Data Anyway
Joe Knape, Practice Director at Caliber Security Partners, would love to see CxOs rise above all these nitty-gritty, technical security details in the new year and instead simply ask, Why?
Why is your organization collecting sensitive information? Why does your company need it?
If your company must collect it, does it really need to store it? Or can it be purged, immediately?
"In short, if I don't have it (or keep it), I can't lose it (or have it stolen) and I don't have to protect it," Knape writes.
Case in point: Nationwide. As Knape wrote recently, Nationwide revealed in December that hackers had stolen customer information in the fall, ripping off personally identifiable information including Social Security numbers and dates of birth.
Meanwhile, Knape wondered. "Why did they have all this information in the first place?"
It's a good question. As he pointed out, SSNs are used strictly as identifiers. The only time they're required for insurance purposes is when the insured also participates in Medicare. Try to tell insurance companies that, though. The company's health insurance contact wrongly told Knape that his enrolment couldn't be processed without the numbers.
Who, at your own organization, is asking “Why?” of those who insist on collecting and storing sensitive data?
It's a New Year
It's time to be proactive. It's time to take the steps needed to keep your business out of the worst kind of headlines.
Even if you do no more than get a grip on who's accessing your data, it will be more than that 88% of businesses. They have their heads so deeply ensconced in the sand that they haven't lifted a finger to protect their data.
Now Read This:
