"Data is you're most important asset". I am sure you have heard this dictum. It might even be considered a cliche. Well, something usually becomes a cliche when it is true.
That's why you and your organization have gone to great pains to protect its mission critical data, the data you store about customers, sales, products, production and employees. You log it, back it up, and replicate it. You store backups off site and have redundant systems.
You make sure that users are authenticated and only have appropriate rights and privileges. You create views for applications and classes of users to ensure that they view only the data that is appropriate. You have done everything possible and can sleep at night.
Be careful, you might just have missed the obvious. Here is another cliche to think about "You are only as secure as your network". Obvious? Perhaps. But it is clear that many either miss the obvious or are making bad choices about it.
Each year, Verizon issues the Data Breach Investigations Report (DBIR). The report is based on data provided by the US Secret Service and security agencies in the Netherlands, England and Australia. For 2011, they identified 855 incidents worldwide compromising 174 million records. In the eight years that they have been producing the report they have identified over 2000 incidents with over 1 billion records at risk.
Keep in mind that these are only the incidents that these agencies have discovered and the actual number incidents are surely exponentially higher.
What is important about the DBIR is what is says about the incidents uncovered. 98% of breaches were from external agents, 81% of incidents involved a form of hacking and 69% incorporated malware. On the other hand, only 5% of incidents were the result of privilege abuse.
While I would not minimize the threat from within, nefarious activities from employees can be serious; clearly there is a huge external menace. Worse, only 8% of incidents are discovered internally. It usually takes a third party for you to learn that you have been compromised. This leads to the suspicion that there are many breaches that occur and are never identified!
Now, here's the part that should give you pause. According to the DBIR 96% of breaches were not highly difficult and 97% were avoidable through simple or intermediate controls. For victims subject to the Payment Card Industry Data Security Standard (PCI DSS), 97% had not achieved compliance. The PCI DSS is intended to protect cardholder data for debit, credit, prepaid, e-purse, ATM, and Point of Sale (POS) cards.
Shockingly, only 29% of PCI DSS covered organizations have implemented a firewall to protect their data! I know what you're saying; we must be talking about mom and pop shops. In large part, yes. But the report separates out large organizations and found that only 71% have firewalls. When you consider that the impact of a breach to a large organization can be huge, it is shocking that 29% do not have firewalls to protect the PCI sites.
When it comes to being compliant by having antivirus protection the large organizations are somewhat better at 86% compliant, but for all organizations the compliance is even worse at 23%! Put another way, 14% of large and 77% of all PCI DSS covered organizations do not implement virus scanning.
When you do not protect yourself you endanger everyone you come into contact with. Based on these figures, I'd say there are a lot potential "Typhoid Marys" out there!
Let's consider a few of the common hacking threats that you need protection from:
SQL Injection: This is an attack on a database using a website's input form. An SQL Statement that produces undesired results is appended to a fields input.
For example, a typical login script sets variable values equal to input posted for a user id and a password and then appends them to a select statement. The statement is executed to check if a record with that combination of values exists.
Suppose the value posted for userid is "ui" and the password value is "pw;drop table users"
The statement would execute as follows:
Select * from users where userid="ui" and password= pw;drop table users"
The system would execute 2 separate statements. First the select lookup and then the statement dropping the user table. Ouch!
Guessable Credentials: Large organizations have standard procedures that require changing default user and passwords, but this is one of the top breaches for small organizations.
For example, the default user for MySQL Server is root with no password.
If you do not add a password after installation you will be vulnerable.
Even if you do, make sure that you use a "strong password" with combinations of letters, numbers, case and special characters. Too often, people use a guessable password such as the current month or even the word "password" itself.
Keylogger: There are a variety of malware programs that can record the keystrokes typed by a user at a web site or using their computer. They particular target obtaining user id's and passwords, but they can capture any data being input
Brute Force and Dictionary Attacks: Brute Force is a technique used against encrypted data where you attempt to exhaust all possibilities until you find the correct one. A Dictionary Attack is similar, but you work off of a list of likely prospects. For example a list of common passwords, such as "password", months, years, etc.
Backdoors: A backdoor is a way of bypassing the normal authentication process. Hackers take advantage of the fact that computer makers and application developers often create backdoors during development and neglect to remove them when they go into production. Malware can identify backdoors and even create new ones that can be used later.
Keep in mind that even if you are using a firewall and antivirus you may still be vulnerable. The problem with most antivirus protection is that they only address viruses and exploits that have been identified and added to a "blacklist" of known viruses.
Not bad, except there are approximately 50,000 new viruses and system exploits unleashed EVERY DAY! They will eventually update their blacklist for a specific issue, but you are always playing catch-up.
I prefer protection that uses a "whitelist" concept and sandbox. With this technique, program files are compared to a list of valid files and only allowed to run in your system if they are on the list. If the scanner has any suspicions about a program, it is run in an isolated system area called a sandbox where the scanner can determine if it is OK or should be deleted.
If you operate a web site that handles sensitive information, such as an e-commerce site, it is critical that you use the Secured Socket Layer (SSL) and SSL Certificates. SSL provides a secure, encrypted connection between the web site and the browser. SSL Certificates authenticate your web site for the user, ensuring that your users will have confidence in your site.
There are a variety of SSL Certificates that can be purchased at a low cost.
An "Extended Validation" (EV) SSL Certificate provides the highest level of authentication.A Wildcard SSL can save money for web operators that have sub domains. One wildcard SSL can be purchased that will cover a site and all its sub sites. For example, you can apply one wildcard SSL that covers both judgeco.com and sports.judgeco.comUnified Communications (UC) SSL Certificate can be applied to multiple domains and host names. A single UC SSL certificate can be used for a primary domain and up to 99 alternate names. They are very popular for use with Microsoft Exchange and Microsoft Live servers.
As the DBIR indicates, the threats to your data are great but there are simple and cost effective solutions. Never go without a firewall and antivirus protection. Make sure your web site is protected with SSL and SSL Certificates.
View the original article here