Recent data breaches and cyber attacks on Citibank, Epsilon and Sony are once again shining a spotlight on how vulnerable companies and consumers are to data breaches.
Earlier this week, Citigroup announced they had discovered that the names, account numbers and contact information of hundreds of thousands of bankcard holders had been compromised in a breach. The announcement comes on the heels of last month's revelation that 101 million users had their information compromised in the Sony Breach.
In this electronic age, nearly every business today is collecting and storing personal information of both consumers and vendors. Information like names, addresses, Social Security numbers, credit card and other account numbers is at risk. Big or small, practically every business, bank or public institution can be a source of valuable one-stop shopping for a host of identity thieves.
The simple truth is this: loss of customer and employee data can be a financial and public relations nightmare that can damage your organization's reputation and bottom line. And the consequences of a data breach can be severe. Several businesses across the nation have been forced to close their doors because of bad press, and the loss of once loyal customers.
Factor in that the cost of data breaches continues to rise, and it's no surprise that many find themselves asking, "If the high-profile companies are at risk, what's the small business to do?"
Have a plan.
Regardless of the size of your company, you should have an identity theft protection/breach preparedness team or specialist that understands all the relevant risks, threats, and vulnerabilities associated with data breaches. Not only should your organization have a strong understanding of the possible threats, small business owners should also have procedures in place for regularly monitoring existing security practices to ensure that security procedures are working as they should.
Along with your plan to protect data, you should also have a detailed and decisive plan for what to do if something goes wrong. Not only will this help minimize any potential damage, but a quick response to a breach will go a long way in building and maintaining confidence among your customers that you're doing everything possible to protect their personal information.
Secure information.
Help protect information by implementing both physical and electronic security methods.
When it comes to electronic security and data protection, use the best available. You'll almost always find the upfront cost of securing information to be far more cost effective than the cost of fixing the problem once the damage is done.
Along with electronic protection, make sure all your employees are well trained in the proper methods for protecting, storing and destroying valuable information. Limit employees' access to sensitive information on a need to know basis.
Dispose of data.
Don't store information you don't need, and always remember to use shredders and wipe decommissioned electronic devices (including laptops, external hard drives, and copy machines) to properly dispose of unnecessary data. Thieves can't hack information that isn't there.
Limit outside access.
Restrict the ability for sensitive data to be taken off-site. This includes mobile devices. Information that is taken outside of your office is open to a whole host of threats from physical theft to viruses on your employees' home computers.
Remove all peer-to-peer file-sharing software and deny access to file sharing sites from all company computers. P2P and file sharing sites can provide wide-open doors to nearly all your information.
For computers that store sensitive customer databases, disable email, and Internet access to avoid phishing and malware attacks.
Trust the professionals.
Lastly, consider using a third party expert. Identity theft protection and breach specialists can help you identify holes in your security systems and, if a breach does occur, quickly restore public confidence and avoid unnecessary costs.
Experts like LifeLock can help by initiating a rapid response and providing an immediate communications plan to help minimize loss and restore trust. They can more effectively manage security notifications-required by state and federal law, as well as provide letters and emails to help put fear to rest in the affected community affected by a breach. When necessary, they can provide identity theft protection and ongoing support to stay ahead of future complications.
The point is, despite the headlines, there are absolutely things you can do to protect your company and consumers. The important step is to act now, so that the next breach headline isn't yours.
Follow Todd Davis on Twitter: www.twitter.com/lifelock
Christopher Burgess: When "Phish" Is Really Fishy
Mitch Joel: What The World Needs Now Is More Media Hackers
For CDs and DVDs, steel wool will do.
Any defense can be overcome but you design your system so that the time it takes to crack it is longer than the time you need to detect the intruder. If you rely on secrecy you have already lost.
On the DES or Triple-DES issue: this is an old algorithm (1975) that nobody uses anymore.
When you connect with a system over a public network you use SSL (private key/public key) with a key length of at least 2k (no certificates are currently issued with key length shorter that that).
The break-ins we have seen were caused mostly by poor coding practices (i.e. website pages) and very poor password management. it's really telling that Sony said that there was an "unauthorized use administrative passwords".
If you encrypt the disk containing sensitive data and only allow access using Public key/SSL certificate your data will be safe.
For Sony, the solution is even simpler than what's here: For all, and I mean ALL, code-based SQL queries, use parameters and/or prepared statements. Never, never, never, never, and I mean never do a simple text-replacement on an SQL query string, as that's begging for an SQL injection attack. That's very basic, and it's totally unacceptable that they failed to do it.
Use proper access controls. Encrypt all sensitive data at all points, and use a strong, proven encryption algorithm. Set up a system that will not allow weak passwords and requires periodic password changes. Whenever possible, do not use Windows, on the desktop or on the server. Regardless of what OS you use, do not run routinely as the root/admin account, only log into it (or sudo into it) when root permissions are truly needed. Protect the hard drives of any laptop or other device taken offsite with full-drive encryption.
This whole worry about "p2p" and that is a load of bunk (p2p software, by default, only allows access to a few specific directories, none of which you'd be normally storing things in). It's impractical to disallow taking systems offsite, so ensure that the systems are full-drive encrypted and require a VPN to access anything internal. Real security is a design philosophy, not a question of disallowing people from browsing Facebook or using p2p and calling in a consultant once.
{EAV_BLOG_VER:baa99026640bf7d9}
As for computers:
"Computers are dead empty masks operated by remote control." ... Wm. Burroughs
Interestingly, he's the grandson of the man who invented the adding machine, then became Burroughs Corp.
For everything that the computer has given I don't believe it's going to work out so well with all this erasure of certain proper boundaries between us and us.
Anyone got a positive report on my negative sense? Be nice, please. I didn't say I 'know'. I say I'm, well, frightened for us in regards to the articles content.
I agree on the distrust of large corporate software. I've generally found open source software to be significantly more secure and reliable (at least the larger projects, Linux, Openoffice/Libreoffice, etc., and if you use something in alpha/beta, well, you know it's in alpha or beta).
It's simple enough to set up TOR, VPNs that run through another country, etc., if you're worried about insecure data.
Compare that to a telephone. It's effectively impossible to encrypt a phone call, aside from any encryption the carrier places (and so knows how to break). It's easy to tap a phone line or cell tower. It's very hard to gain significant control over the device.
Of course, there's always paper! That can be encrypted, but it's tough and doesn't scale at all.
So what do you propose that's more scalable, more secure, and more user-controllable than a computer?
Waaaaaaaaaaaaaaa!