Fighting virtual shadows to protect customer data from malicious intent
The plight of Barclays Bank, following the theft of thousands of confidential customer files, has once again thrust the issue of how organisations protect confidential data high up the business and consumer agenda. Accountable heads are lifting from the global sands of ignorance as theoretical threats become real life scenarios that must be dealt with or expose data vulnerabilities which could see the downfall of even the most powerful brands. This confidential data belongs to the customer, not the enterprise. Customers very quickly turn away from brands that are shown not to be worthy of being trusted with confidential personal data. Ask yourself, how many chances would you give a bank that hands over your details to criminals with malicious intent? But how do you keep one step ahead of the criminal minds?
Besides protecting against system failure, comprehensive data strategies must protect against a new generation of attackers that are improving their exploitation tactics greatly. With tactics ranging from pop-up adverts and spyware to capture web browsing habits to the insertion Trojans or use of cleverly crafted queries designed to steal passwords and log-in information, there is malicious intent lurking in every virtual shadow.
THREE CORE AREAS
To protect against these attacks, organisations must take into account the three core areas hackers can compromise online:
• Malicious People – the potentially dangerous people with whom users interact
The Barclays security breach highlights the vulnerability posed by people with the now infamous delivery to a national newspaper of a memory stick containing personal details of 2,000 customers.
• Malicious Places – the potentially dangerous destinations or URLs where users visit
The number of phishing campaigns worldwide increased by more than 20 percent in the third quarter of 2013, with crimeware (malware designed specifically to automate cybercrime attacks) evolving and proliferating, according to the Anti-Phishing Working Group (APWG).
• Malicious Things – the potentially dangerous objects/applications with which the user interacts
Every day, more than 100,000 Web sites are running with the singular goal of spreading crime ware which can cripple the effectiveness of information security efforts.
There is a gaping hole in today’s approach to security, and organisations are not doing enough to keep data safe. The hackers have taken notice and shifted their attack mechanisms to bypass traditional security measures, and the security industry as a whole must do the same. More than ever, security needs to be intelligent, scalable, and always available wherever end users happen to be.
THE RULES
There are two basic rules, of equal importance, to adhere to when developing, implementing and managing data strategy:
Rule #1 for protecting your customers: Never lose their identity.
· Ensure clear accountability for protecting individuals’ privacy at all times.
Rule #1 for employees: Educate them to not put business related information at risk.
· Continually consider and address privacy concerns.
A comprehensive approach built on these two rules is the only way to stop malware, spyware, viruses, malicious content, and other threats in order to prevent hacking attacks. Phishing, for example, has flourished in recent years for businesses of all sizes, and we all know the consequences can lead to a tarnished reputation and loss of business. A common form of attack includes using email addresses stolen from specific databases using ‘SQL injection’ to launch targeted spear-phishing attacks against email users. To mitigate against this, protecting your databases using properly configured web application firewalls (WAFs) is a no-brainer.
General phishing attacks target a wide variety of people, typically flooding thousands of inboxes. However, spear phishing targets specific people or organisations. Usually, the attacker will research personal information about the individuals in order to make their messages sound more convincing. The availability of personal information via social media has made this process a lot easier for cyber criminals, this stresses the importance that businesses must educate their users to be vigilant at all times, especially in their personal online activities.
FUTURE PROOFING
Of course, protecting data is like following a moving target in a changing landscape as the data keeps growing and the threats keep morphing with the only defence a vigilant enforcement of ‘The Rules’.
A recent indication of the shape of things to come came in the form of a recent attack that exploited a key vulnerability in the infrastructure of the internet itself. Hosting and security firm Cloudflare said it recorded what was the "biggest ever" attack of its kind in February this year when hackers used weaknesses in the Network Time Protocol (NTP) to flood servers with huge amounts of data. The technique could potentially be used to force popular services offline.
The NTP is one of several protocols used within the infrastructure of the internet to keep things running smoothly. Unfortunately though, despite being vital components, most of these protocols were designed and implemented at a time when the prospect of malicious activity was not considered.
Anticipated or not, there will always be new and bigger threats to data to deal with. The best that organisations’ can do to protect their data, their customers and their reputations is ensure all best efforts are always being made to protect against them with thorough policy and process. Faith, honour and commitment should be shown to ‘The Rules’ at all times.