EU Data Protection Regulation: Detection is the best prevention
The UK government recently published guidelines for companies covering the five basic controls that businesses must follow to ensure a minimum level of protection. The goal of this “Cyber Security Implementation Profile’ is to serve as notice that all companies must ensure that they have defenses in place to protect their intellectual property and the consumer data that they hold. This mirrors similar efforts across the EU. In March the EU parliament voted to implement a new Data Protection Regulation which will seek to eliminate the legal differences in data protection across EU countries.
Studies such as last year’s Ernst and Young report, highlight the current deficit in IT security with only 4% of the 1,900 executives interviewed reporting that they had sufficient cyber security defense measures in place. The new Data Protection Regulation created to address these deficiencies was also in response to the increasing consensus amongst the governments of the EU about the need for corporate data protection coupled with increasingly more high profile data breaches in the media. The new regulation would see all pan-EU companies that do not fall into the SME category (under 350 employees) being forced to appoint a data protection officer to oversee the storage and management of consumer data, and all companies regardless of size being forced to report any breach to the data regulator within 24 hours.
It’s a reminder that it is in every company’s best interests to ensure these controls are in place and that they have the necessary safeguards implemented to protect their intellectual property. Companies are starting to realize the need for cyber security awareness as demonstrated by the new alliance to support the Linux foundation to prevent future problems like the Heartbleed OpenSSL bug. It is the hope that this growth of regulation will ensure that companies are aware of the threats posed by cyber-attacks needs to be taken seriously.
What steps can IT managers take to ensure their data is protected and how can they convince the board that each solution is worth the investment? I’ve broken down some of the key steps that can be taken as part of a data protection program.
1. Honeypot in your network
Detection can often be the most difficult and most important part of an attack. For instance, how do you distinguish between legitimate traffic and non-legitimate traffic in your network? Many of our customers say that when trying to monitor activities on the network, whether via network device or an endpoint agent, the false positive ratio is very high.
Importantly, there is a concept which allows companies to implement cyber security solutions which create a “shadow network” inside their internal networks. The solution scans the customer environment and creates a new network which will represent the “real” network of the customer. The “shadow network” acts as a honeypot network trying to lure attackers, whether they are external or internal, and hosts “dummy data” to complete the illusion.
As no one knows about the network and shouldn’t really have access to it, any approach to the network resources will be considered as an attack. This can be an insider that is trying to get access to data that he/she shouldn’t or an attacker that is already in the network and is looking for “weak systems” to gain more access.
2. Managing privilege accounts
One of the most common security practices is to enforce password policy on users. This policy is enforced in most organizations where regular users are forced to change their password every 30-90 days, requiring them to choose a complex password which is different from their old password. Conversely, when it comes to the privileged accounts like system administrators, or system services this is not the case. Remarkably, in many cases passwords for privileged accounts are not changed at all or are changed after periods longer than 90 days. Additionally organizations are failing in providing an audit trail of who uses those privileged accounts and for what purpose. Frequently the privileged account is generic and passwords are shared between administrators.
According to a survey by Cyber-Ark on privileged account security, 86 percent of large enterprises either do not know, or have grossly underestimated the magnitude of their privileged account security problem. Managing the privilege accounts is very important for the organization security as those accounts will be the target for an attacker. Having a system that will manage those accounts, changes passwords on a regular basis, provides a full audit of who asks for the password and potentially even a recorded session of what they did, should be best security practice for most organizations.
3. Handling malicious links
One of the most common methods for hacking into a company is the use of malicious links via a spear phishing attack. Spear phishing emails attempt to target a specific organization or people in an organization, seeking unlawful access to its confidential data. It is common for employees to be directly targeted using information gathered from social media so that the content of the email is both relevant and appealing enticing them to open it. More complex attacks can involve the hacking of the emails of friends/relatives to make the email seem more legitimate. Employees should be thoroughly educated on the risks of opening strange attachments or press on suspicious links, but there are also automated technologies that can be deployed to stop them.
Often solutions will only validate links for malicious content upon receipt. Spear phishing attackers have evolved to circumvent such solutions by loading attacks on the websites after the original check (few minutes or hours) to avoid detection. There are alternatives that prevent this approach, such as employing real time web analytics, isolating and sandboxing suspicious emails. In addition to technological approaches, further education of employees is always a positive place to start as it can reduce the number of attacks while also teaching them to spot an attack as it happens. If your company finds itself regularly the target of spear phishing attacks then it should implement some or all of these solutions.
4. Tracking outgoing data
Far too many companies focus on protecting themselves from incoming malicious links and think that makes them secure. Tracking outgoing data is also important, however, it requires the acceptance by the management team that despite your best efforts people will gain access to the network. If a nation state, for example, with its vast resources wanted to access your systems, there is little that any IT team could do to stop them. It is also important to stress that even if an attacker can succeed in getting into the system, when and how they take data out can expose them if the right systems are in place.
It is possible to expose and track data leaving the system and record where it goes, however this requires the implementation of an effective Data Loss Prevention (DLP) system. If data is categorized, and separate networks and levels of access are established, then it is possible to not only track what data is moving where but also who is doing the moving. Often a hacker will want to encrypt data they are sending out of the system, and this provides another opportunity to detect them. A policy can be deployed that tracks unnatural types of encryption – that is encryption that is not natural to your network.
To limit the chances of an attacker getting access to truly critical IP data, an offline intranet could be established on a physical separated and controlled network. The intranet would be completely without access to the internet or the commercial network, only allowing access from within certain areas within a building, and all access to this system could be tracked by cameras and user profiles.
5. An emergency plan
The management has to realize that no matter how secure their system is, a breach might occur, so they need a response plan. A designated response team, which includes management, IT, legal, business, marketing/PR and other critical departments, needs to be set up so that the business can act in a quick and co-ordinated way when dealing with a breach. Predetermined processes and best practice guidelines will have been set in place so that each department can effectively deal with the situation proactively allowing the business to continue functioning and preventing the potential internal “blame game’ should the response fail.
Conclusion
Managing incoming threats as a company can be a difficult and tricky process. However, there are proactive steps that can be taken to reduce the danger. With the future looking like it will contain far more regulatory controls, with mandated EU compliance regulations, it is more important than ever for companies that are not already doing so to take a realistic approach to their cyber-security. Failure to do this could result in large fines, loss of customer trust and a loss of business.