I recently came across this article on the “Top hacker disasters of 2011”, written by David Aitel of Immunity Inc. David has put together a brilliant article that lists some of the high profile attacks and five lessons to be learned. One key point that you should notice in this article is that there was no single security failure points that caused the company’s breach. The points of attack ranged from technology being cracked to poor security practices within a corporation.
After reviewing David’s 5 lessons, I wanted to comment on each to add a little more insight.
In Lesson 1: Protecting critical data, David points out how the RSA SecurID token was hacked. He also discusses that most executives do not even know what critical information is in their databases, and the need for a chief information security officer (CISO). While I agree with this the other take away is that security technology alone cannot protect the company. Anything that is created by human can eventually be broken by human given enough time, resources and money. This is what happened with the RSA SecurID token.
In Lesson 2: Segmenting your network, an additional point that I would add is to segment the data that is stored on the network into confidential and public. By segmenting the data into these two classifications security can be designed to meet the specific needs. Segmentation also will keep costs down. Why pay for high encryption to secure a press release? You also want to segment the employees into different groups as to what data they are allowed to and not allowed to access.
In Lesson 3: Security leadership, having a point security person is becoming more and more important to corporations. Security is now being discussed at the board level and within executive meetings. This CISO, who is responsible for the overall business data security, should report directly to the CEO and CFO.
In Lesson 4: Audit your periphery, David talks about the importance of auditing your website for security holes if it contains sensitive information. However this is also true for corporate networks as well. Companies need to set up a plan as to how they will respond when there is an attack. Sadly, the industry has come to the point where there are two classifications of companies: 1) those that have had a security breach; and 2) those that don’t know that they have had a breach. While all the best planning in the world will not prevent a breach, it certainly will help lower the cost and time it takes to recover from the attack.
In Lesson 5: Don’t share passwords, I agree with all the David has said about length the passwords, the combination of characters letters and symbols, and the use of multifactor authentication like a smartcard or token. I also want to add, don’t write passwords on sticky notes and post them on the monitor. However, one point that is often overlooked is that the password security policy created by the CISO can lead to a weak password authentication infrastructure. Employees will circumvent security for their own convenience. That is why I suggest a company also have a secure password management application so that employees do not have to know, remember or even type passwords into sensitive networks, applications, computers and websites.
And while David talks about 2011 I fear that 2012 is not going to be any better in safeguarding companies from data attacks. With all the different federal and state privacy laws in place companies can’t afford to be lax on their data security anymore.
Access Smart has started a new Security Technology Partners program. With all the different components required to secure data, Access Smart has started a new program in which we are listing technology partners who offer different security solutions other than password management. We look at four different points of vulnerability and then match a partner’s technology that it addresses. While no one partner has the complete solution is the combination of these different technology partners together that creates an environment that will protect your company from a data attack. To learn more about our partners program please visit our website.
Click the link Top Hacker Disasters of 2011: Five Critical Lessons for Businesses to be able to read the entire article written by David Aitel.