Data Security: Are You Utilizing Basic Security Precautions?

Posted on 2/27/2014 by Mikayla Jenkins in security tech trends
image

Target Corp. Neiman Marcus Group. Michaels Stores Inc. Lately, it seems like retailer data security breaches are dominating the headlines. But many data security breaches don’t make national headlines.

Special thanks to Ryan Ticer (TEAMSOS Senior Convergence Engineer) and Justin Bagatti (TEAMSOS Advanced Communications Consultant) for their expert insight on this issue. 

Not Just Retail: Data Breaches are a Problem for All Organizations

SC Magazine’s Data Breach Blog keeps a running list of data breaches, which doesn’t just include large scale retailers but also universities, hospitals, insurance companies, government agencies, and more. Data security breaches affect a wide range of organizations: companies, universities, non-profits, and government agencies. Regardless of the industry or company size, if your organization has data that is perceived as valuable—be it social security numbers, credit card data, or proprietary information—then you are at risk.

Be Sure to Take Basic Security Precautions

Not all, but many data breaches can be attributed to failing to enact basic security practices. Earlier this month, when Illinois Attorney General Lisa Madigan testified before a U.S. House Panel looking into the recent high profile data breaches, she stated that failure to take basic security precautions was a common cause of data breaches.  Specifically, Madigan’s investigations of breached companies (which happened before the Target breach) unveiled repeated instances of where companies:

  • · Allowed their systems to retain unencrypted data
  • · Failed to install software patches for known vulnerabilities
  • · Retained information longer than necessary

There are elements, however, beyond the 3 outlined by Madigan that we here at TEAMSOS view as basic security precautions.

On the Wire Encryption

Today, on the wire encryption is absolutely necessary when it comes to especially sensitive data, like credit holder data. But, on the wire encryption is very pricey. Most companies will find budgetary concerns when it comes to implementing something like that.

Controlling Network Access

You also have to look at controlling access to network resources, while also maintaining availability of network resources. It’s a very hard balance, because you have to control access from unauthorized devices, or even control access from authorized devices (like employees). But also you have to allow employees to get on the network without causing them havoc, or making them jump through a bunch of hoops, before they can get into the network. It’s a very fine line that you have to walk. Sometimes you go too far in one direction, sometimes too far in the other. And that battle can sometime make it very difficult to mitigate security, especially on the network border. But above and beyond that, on the wire encryption helps with network access issues, because it insures that the data gets from Point A (a credit card terminal) to Point Z (the ultimate database server) without someone along that path picking up on that traffic and getting ahold of the sensitive data therein.  

Target’s Breach: When Basic Security Precautions Are Not Enough

Now bringing into perspective what happened with Target, they had something happen to them that was always known as a risk, but no one ever thought was very possible because it was such an unlikely risk. Attackers took advantage of the fact that the physical memory on the credit card terminals was unencrypted. It has to be unencrypted, because the program itself has to be able to manipulate and send that data in an unencrypted form to process its transaction. So because of that, attackers were able to pull off the data from the memory in such a way that they were able to get the data BEFORE it was encrypted to go over the wire. That’s a very difficult challenge to address when you’re looking at something at such a low level and out of someone’s control. In the wake of the latest data breaches, credit card terminal manufacturers looking at new features security to be able to handle this kind of threat—even to the point of redesigning whole credit card terminals and coming up with new technologies that allow for encryption and memory. So it’s very interesting because these changes won’t only apply to credit card terminals, but also to higher end systems back in the data center that store the information to begin with. And eventually the payment card industry (or PCI) will update their compliance requirements in the future such that this concern is addressed and probably checked against for compliancy.

Ultimately, security is a balance of configuration, architecture, and practice. The mixture of those 3 items, among others, those 3 are the primary factors in protecting any data—internal and client data. 

But Security Best Practices not only include security basics but also includes anticipating and addressing possible attacks. In our next post we’ll outline Security Best Practices.  

Image by purpleslog via Flickr, under Creative Commons License

Subscribe via Email!

Receive a daily digest of new blog posts. 

 

Enter your email address: