In-Depth
Data Security Trends: Staying Ahead of the Bad Guys
What you can do now to stay a step ahead of the changing vulnerability landscape.
by Gary Palgon
First they attacked information stored in databases. As soon as companies began securing this data at rest, they went after data in transit in wireless networks. Companies then reacted by taking steps to secure wireless transmissions and those with business partners. Now, the bad guys are going after sensitive information being transmitted internally throughout enterprises -- a gap in the PCI Data Security Standard (PCI DSS) -- causing IT security officers to have to shore up protection of internal data transfers.
Initially, cybercriminals went after credit card numbers because they gave the greatest yield on the black market and were fairly easy to steal. Thanks to high profile breaches such as ChoicePoint in 2004, TJX in 2007, and Hannaford Bros. in 2008, and to the Payment Card Industry’s response in the form of its data security standard, merchants and banks have made great strides in protecting debit and credit card information at rest in databases and files and in transit over wireless networks.
The newest version of the PCI DSS (1.2) requires merchants to secure payment card information on Web sites, Web servers and wireless networks and has added requirements for securing PIN entry devices (PED) and hardware security modules (HSM). Yet, as the PCI Security Standards Council evolves the standards and merchants comply, so do the targets and methods of breaches.
What’s Next for Cybercriminals
With most payment card data being locked down at rest and in transit across wireless networks thanks to PCI DSS, cybercriminals will go after this data in other places, such as in transit on corporate networks. They’ll also focus more on stealing personally identifiable information (PII), particularly those fields most commonly collected and useful such as Social Security, driver’s license, state ID, financial account, and passport numbers, followed by more specialized PII such as biometric information and health records. State breach notification laws passed by 40 states address PII data theft and loss and spell out requirements for companies to follow when such a breach occurs. Attacks aimed at stealing PII are expected to increase as payment card data becomes increasingly harder to steal, putting other types of organizations and companies at risk beyond those that collect and store credit card numbers.
Cybercriminals will also try to crack encrypted data by stealing encryption keys and certificates. Data security professionals live and die by two profound truths. First, if you encrypt data and lose the encryption key, the data is lost forever as there is no way to get it back. Second, if you encrypt data and don’t control access to the keys, you haven’t really secured the data. It’s not too soon to take a look at how you secure the encryption keys that protect data at rest and the certificates that protect data being sent between trusted business partners and through Internet connections to ensure they are adequately protected.
Other vulnerabilities that cybercriminals can take advantage of are confidential data in virtual environments, as well as the credit card track 2 data that is collected by merchants and often stored between the time the payment information is collected and the credit card is charged. This time is greatly expanded to days or weeks in cases where credit card information is obtained, but the consumer’s account is not charged until the product is shipped.
It is promising that the next iteration of the PCI DSS, the best example of a technical data security standard at this point, will address emerging threats such as protecting data in transit within the enterprise, virtualized data, the pre-authorization storage of track 2 data, and partner data security compliance. That said, there’s no reason to wait for the passage of an industry mandate or a national government data privacy law to review your data security practices and evaluate your organization’s readiness in light of what’s sure to come.
What You Can Do Now
Fortunately, there are things you can do stay a step ahead of the bad guys to keep the sensitive and confidential information entrusted to your organization safe and secure.
Secure data in transit internally: Cybercriminals are beginning to prey on unsecured data as it moves around organizations inside the firewall. This includes payment card data, PII and confidential corporate information (including intellectual property). What’s more, this unprotected data is also at risk for theft by employees. According to a Global Security Survey by Deloitte, 74 percent of respondents said they had encountered internal attacks in the last 12 months. Enterprise Strategy Group’s study about internal security breaches of 229 companies with 1,000 or more employees reported that 23 percent of respondents had suffered an internal security breach in the last 12 months. Recognizing that securing internal data in transit is not specifically addressed in the current version of the PCI DSS, it never hurts to be ahead of the compliance requirements and become more secure at the same time.
Switch to WPA wireless networks: Many companies still use Wired Equivalent Privacy (WEP) to protect data in transit over wireless networks. Unfortunately, WEP was found to have several security weaknesses. In response to those vulnerabilities, the Wi-Fi Alliance created a new certification program -- Wi-Fi Protected Access (WPA and WPA2) -- to secure wireless computer networks. Switching to WPA or WPA2 for strong encryption will better protect your sensitive and confidential data as it is transferred over wireless networks.
Address PII at rest: Inventory where all of the personally identifiable information your organization collects is stored and make sure it is properly secured. This includes electronic data as well as physical hardcopy data. This is also a good time to determine if all of the PII your company collects is necessary and, if so, if it all needs to be stored. Many companies find that much of what they collect is unnecessary. Once it is used for its intended purpose, it can be deleted instead of being stored, further reducing risk.
Review data security with business partners: Double check the security of all data in transit with your business partners. If data is being sent over FTP, switch to Secure FTP, for example. If you’re communicating using an EDI VAN, confirm that the VAN provider is providing a secure connection -- most VANs are not. Consider establishing direct connections with your largest trading partners using AS2, which is inherently secure and also cost effective.
Secure data on endpoints: Endpoints such as laptops, iPhones, e-mail servers, and DVD, CD, and thumb drives also pose a data security risk from theft, data leaks, and accidental loss. Either prevent sensitive and confidential data from being loaded onto these types of devices (through lockdown or through encrypting the data right at its source), or make sure confidential data residing on endpoints is locked down and accessible only by people with proper authority.
Be “in the know”: Threats evolve constantly, so stay on top of the tactics cybercriminals are using to steal data and know what they’re going after. Also keep abreast of industry and government mandates and laws so that you know your obligations.
Data security threats continue to evolve as cybercriminals change their attack strategies. To counter these threats, industry groups such as the Payment Card Industry Security Standards Council have developed data security standards to help organizations better protect the sensitive and confidential data entrusted to them. With every release of the PCI DSS the industry takes another step forward to protect information and make it more difficult to steal. However, just as the standard evolves, so does the focus of the breaches move to the next vulnerability.
The most effective defense is offense. You can stay ahead of bad guys by taking steps now -- well ahead of industry and government privacy and security mandates and laws -- to protect the information entrusted to your organization wherever it resides or travels.
Gary Palgon is vice president of product management for Atlanta-based nuBridges, where he is responsible for defining strategy for the company’s widely-used data protection solutions. You can contact the author at gpalgon@nubridges.com or visit http://www.nubridges.com.