Image courtesy of Shutterstock
Enterprise data security has become not only a major focus of attention in the tech industry, but has also become a concern for the mainstream public. With the steady stream of data breaches at companies such as the retail giant Target, the tech and media leader Sony, and most recently medical insurer Anthem, Inc., many organizations are now beginning to appreciate the importance of data security and just how much a financial toll a hack can cause. According to many executives, a turning point has been reached.
“In 2014 there were a lot of lessons learned. Everything from the day to day nature of all the hacks where it went from kind of being a surprise to unfortunately becoming mainstream news,” stated Kevin Reardon, VP of worldwide value strategy, Intel Security. According to many security executives, implementation of the principle of least privilege, and the appropriate use of patches are key ways to avoid the hacks that these big corporations are experiencing.
Principle of Least Privilege
According to Reardon, 95% of all attacks on enterprise networks result from successful spear phishing. The principle of least privilege allows for minimal user profile privileges, only allowing privileges based on the user’s requirements.
This means that if a user’s data were to be hacked, there is a far greater chance that the breach will be quarantined and the hackers will not be able to infiltrate the entire organization. “Attackers typically break into companies through phishing attacks against individual users. This will result in the user typically running malware and it makes all the difference in the world if the user has been properly restricted to a standard user account or is the user account given local administration,” explained Marc Maiffret, BeyondTrust CTO.
“Organizations must recognize that all of their systems are connected, including the marketing database, transaction processing, and even employee records,” added Protegrity CTO Ulf Mattsson. “The enterprise must be secured using a unified approach, to prevent ‘weakest link’ issues relating to security gaps or vulnerable systems.”
In a perfect world, organizations would be able to keep the hackers completely out of their systems, but in reality this is impossible. “If you have a sophisticated enough attacker on a long enough timeline, there is always a way in,” explained Maiffret. “There are many opportunities for attackers to break in. At that point it becomes whether you’re going to discover them based on a proactive technological measure or by your customers calling saying that their credit cards have been used fraudulently.”
Once a hacker has been able to enter the system it becomes extremely easy to navigate for the hacker if the user does not have strict access settings on his/her computer. Often, a hacker will easily be able to find credentials and passwords of higher access points from a lower end user who is not well quarantined. This then allows the hacker to pass in and out of the system with ease.
Need to Maintain Up to Date Database Patching
A patch is software that is designed to improve and keep computer programs up to date. Databases can also become vulnerable if not kept properly up to date with proper patches. “We have found situations where clients had production databases that had just fallen out of the patching process,” stated Josh Shaul, Trustwave VP of product management. Another issue that is connected with patches is out of date software. According to Walker White, president of BDNA, certain types of software may be deemed obsolete by their developer and will no longer receive patches.
While patching is important, not every data security expert believes it to be as important as the principle of least privilege. “When people first think of database security they become really worried about patching database vulnerabilities. Patching is a really big problem and something that you should do, but it is most likely not going to make a dent in your data security,” stated Mark Kraynak, chief product officer, Imperva. According to Kraynak, the principle of least privilege and the risk of SQL injections were bigger threats than a lack of patch implementations. “When you see breaches it’s not because someone did a technical attack on vulnerability on a database. Most of the time, if you are in a position to do a technical attack, you have a user, access to the database over the networks, and some entitlements.”
Medical Records Pose Emerging Risk
With the spike in high-profile enterprise data breaches, concern about data security has traveled to everyday citizens as well. One of the most common sources of concern is the loss of credit card data. While credit card theft is still a means by which a person can lose valuable information, there are new threats in 2015. According to Bitglass, which provides security for cloud apps and mobile devices, medical records are 50 times more valuable on the black market than credit cards as a result of simple supply and demand. On the black market, credit cards have become more common and thus less valuable, while medical records are not nearly as prevalent and also contain more useful information to thieves.