How can CIOs combat data breaches?

Businesses are seeing an increase in malicious insider activity, according to the 2010 Data Breach Report from Verizon Business released last week.

But it is not just insider threats that are a concern to businesses. External threats targeting cloud services are also increasing. For example, last month US-based telco AT&T’s servers were breached. This resulted in the leakage of 114,000 email addresses of government and military officials.

So how can CIOs mitigate such attacks?

Insider risk
First, it is important to understand why they are increasing. Paul Henry, forensic and security analyst at Lumension, a global IT security provider, said: “It is partly driven by the economy. In a good economy you only need to worry about bad people doing bad things. In a bad economy, some of the good people are driven the same way.”

And while technological advances can provide more capable security, they can also often provide opportunities to cyber criminals.

“USB sticks make it trivial for a person to deliberately insert malware into an organisation. And link file vulnerabilities allow the spread of malicious code, such as a key logger or a sniffer programme,” said Henry.

The risk is especially high for organisations using Windows XP service pack 2 or Windows 2000, which Microsoft ceased to support on 13 July this year, meaning an end to security patches. But even when available, vendor patching is never a complete security solution.

Firms may feel they are secured when they turn on Microsoft automatic patching. But just because the operating system is up to date does not mean the risk is over.

“The threat is no longer just in the application layer – the problem has spread to third-party applications and add-ons,” said Henry. “Part of the problem is that cyber criminals have found that organisations are patching Windows, but not Adobe, Quicktime or other third-party tools.”

One potential answer is end point security. This defines which devices are allowed to connect to a PC on a network by a serial number. Anything, including USB sticks, without a recognised serial number will be unable to connect to the network.

Another feature of end point security is application control, which defines what software can be used in any environment.

“Only software which meets a business need in the organisation should have the right to operate,” said Henry. “[In this way] you dramatically reduce the risk of malware infecting the environment.”

Increased regulation
Last week information security professionals body the Information Systems Audit and Control Association said reporting data security breaches should be mandatory in quarterly and annual company reports. Many firms only become aware of data breaches when notified by a third party – regulation will help them prioritise maintenance of their security infrastructure.

“Reporting should be absolutely mandatory,” said Henry. “It would force companies to secure their data, and could level the playing field. If company A secures its data and B doesn’t, B is potentially better off as it has lower costs. A regulation sets a minimum bar.”

Cloud computing
If a company uses cloud computing, much of the network infrastructure moves outside of its direct control. This brings its own risks, as Henry explained.

“Cloud providers work on thin margins and may not be able to afford security provision. In addition, you have no control over the security of servers in the cloud – you’re shifting the risk from your servers to your end points and leaving yourself open to attack,” he said.

A potential answer to this risk of data leakage is the enforced use of encryption. It is possible to manually require that any file can only be read by specific machines, using digital certificates.

So a file could still be downloaded on to a USB stick and stolen, but it would be effectively useless. This could also remove some of the temptation of malicious insider attack. “Encryption removes the choice,” said Henry.

Biometric authentication – where a fingerprint or retina scan augments the traditional username and password – will soon be more readily available, according to Jerome Svigals, director of the Smart Card Institute. “We will go from a two-way security system to three way, requiring the correct device, password and fingerprint.”

The increasing capabilities of technology provide ammunition for both CIOs and hackers. Selecting the correct blend of tools to protect the business is key for CIOs today, and encryption and end point security can help.