Computer Crime Research Center


Computer crime: Data breaches

Date: July 19, 2005
By: CyberArk

... on guard for social-engineering techniques designed to pilfer usernames and passwords from unsuspecting users.

VII. Secure Data-at-Rest
Given the continuous news of lost backup tapes and unauthorised access to corporate databases, more attention is being given to the effective encryption of “data-at-rest”—that is information stored on desktops, notebooks, PDAs, backup tapes, and storage arrays. The goal of encryption is simple: make data unreadable to anyone who doesn’t have access to read it. Encryption systems use digital keys, which are used to lock information (make the data unreadable) and unlock information (return the data to readability). Without the exact keys, it’s nearly impossible to turn the gibberish into comprehensible text. In the event of a security breach, encryption can be the final layer of defence. That’s why organisations need to design an encryption strategy that is both effective and unobtrusive to normal business operations. Nonetheless, enterprises need to decide how to protect data residing in servers, applications, and other storage devices. Once organisations have completed their risk assessment, classified their information assets, and determined their most sensitive information, they need to ensure their most valuable and private data is encrypted and stored in a highly secure location. Encrypting stored data can be one of the most critical facets of an organisation’s defence-in-depth strategy, but must not be deployed in a vacuum. Encryption needs to work in conjunction with strong network security practices, identity authentication, and policy-based data access controls.

VIII. Secure Data-in-Motion
Securing data while it travels between applications, business partners, suppliers, customers, and other members of an extended enterprise is crucial. As enterprise networks continue to become increasingly accessible, so do the risks that information will be intercepted or altered in transmission. As a result of continued high-profile information breaches, enterprises will increasingly strengthen the manner in which they encrypt information as it travels throughout their internal network and to the remote networks of their customers and partners. There are many ways to encrypt data in transit, including virtual private networks, and multipurpose security appliances, which incorporate IDS, IPS, firewalls, anti-virus programs, and other security technologies into a single device. Another option is server-based encryption solutions provided by router and switch manufacturers.

Networking equipment manufacturers such as Cisco and Juniper are increasingly enhancing the security capabilities within the network. It will take years, however, for the visions of the “self-defending” network to come near fruition.

Each data-in-motion encryption solution has its own strengths and weaknesses. For instance, while server-based encryption and security solutions embed security deep within the network, many of these solutions tend to be complex and more difficult to manage. They also require a significant investment in time and resources to configure and manage both network and security settings. While multi-purpose appliances are easier to install and manage, the functionality and quality of each security function—VPN, IDS, IPS, anti-virus, etc. may not provide the “best-of-breed” standard many organisations still prefer. Many vendors of such suites have also failed to adequately integrate the various security technologies to offer management features across functionality.

Security managers must evaluate the risks against their information as it travels throughout their internal network and to the networks of their external partners, and decide which approach is best, based on their resources to design an adequate data-in-transit encryption solution for their environment.

The complexity of today’s business-technology systems, the sorry state of software application security, the general lack of employee IT-security awareness, and the growing “connectedness” of partners, customers, and contractors all work against the task of security managers to protect critical business information. All it takes is a single break in security anywhere in the chain for risk to reach an unacceptable level. It could be an employee who falls prey to a social-engineering attack and discloses his or her username and password to a criminal; or a package-delivery company that misplaces unencrypted backups containing customers’ financial information. It could be a single unpatched server or a misconfiguration of system/network equipment for any organisation to be faced with the unthinkable: having to inform thousands of customers that they’re at-risk of identity theft, or tell shareholders that proprietary product research and development information was leaked to competitors.

That’s why it’s so crucial that senior management instils how critical information security is to the health and reputation of their organisation and ensure its strategic alignment with business policy. And that’s why security teams employ the effective use of several security technologies working in tandem to ensure no single point-of-failure would result in a security breach. Because it’s nearly impossible for organisations to protect every facet of their network, they need to place special attention to the security of their most sensitive data-information that if compromised, could result in the loss of a competitive advantage, regulatory penalty, or even serious damage to their brand or reputation. To secure their most critical intellectual property and customer information, organisations need to create a highly-secure place on their network. An area where the strictest levels of authentication, access control, encryption, and auditing capability ensures the highest level of security possible—at all times.
Original article

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2007-02-26 03:18:26 - The information I found here was rather... uomo
2007-02-22 10:59:08 - Nice site you have!... dizionario
2005-09-17 07:16:20 - Your site is realy very interesting! Donny
Total 3 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo