Tuesday, May 24, 2011

Preventive measures

Data breaches, though common, more destructive and more targeted than ever before, can most often be prevented using common, inexpensive security procedures, stated a new report released by the Verizon Risk Team.

The report claims 96 percent of breaches could have been prevented with simple or intermediate controls. It also found 89 percent of the victims who are required to comply with the Payment Card Industry Data Security Standard were not compliant when they were attacked. The authors concluded, "Almost all breaches are avoidable (at least in hindsight) without difficult or expensive corrective action."

Here are some of the report's recommendations for defending against data breaches:

Achieve essential, and then worry about excellent: "We find many organizations achieve very high levels of security in numerous areas but neglect others. Criminals will almost always prefer the easier route. Identifying a set of essential controls and ensuring their implementation across the organization without exception, and then moving on to more advanced controls where needed is a superior strategy against real-world attacks."

Change default credentials: "Simple and sweet, when system/network admins stand up a new system, change the password. If you outsource this to a third party, check that they've changed the password."

User account review: "The review should consist of a formal process to confirm that active accounts are valid, necessary, properly configured, and given appropriate privileges."

Restrict and monitor privileged users: "Don't give users more privileges than they need and use separation of duties."
Secure remote access services: "In many instances, remote access services have been enabled and are Internet-facing. ... It's important to limit access to sensitive systems within the network. Many organizations will allow any device on the network to connect and remotely access any other device; we highly recommend not managing your devices this way."

Monitor and filter egress network traffic: "At some point during the sequence of events in many breaches, something (data, communications, connections) goes out that, if prevented, could break the chain and stop the breach. By monitoring, understanding, and controlling outbound traffic, an organization will greatly increase its chances of mitigating malicious activity."

Application testing and code review: "It is no secret that attackers are moving up the stack and targeting the application layer. Why don't our defenses follow suit? As with everything else, put out the fires first: even lightweight Web application scanning and testing would have found many of the problems that led to major breaches in the past year."

Enable application and network witness logs and monitor them: "Processes that provide sensible, efficient and effective monitoring and response are critical to protecting data."

Train employees and customers to look for signs of tampering and fraud: "ATM and pay-at-the-pump tampering/fraud seem to be increasing in number and scope. Organizations operating such devices should consider conducting regular examinations of them."

Create an incident response plan: "An effective incident response plan helps reduce the scale of a breach and ensures that evidence is collected in the proper manner."

A copy of the report may be found at www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf


No comments: