Managing your data risk: back to basics

FEATURE global companies, and is also one of the three global editors of the Cloud Security Alliance v3 guidance document.

Resources UÊ /…iʏœL>Ê`i˜ÌˆÌÞʜ՘`>̈œ˜°Ê Home page. Accessed Jul 2015. www.globalidentityfoundation.org. ‘Identity 3.0’. Wikipedia. Accessed Jul 2015. https://en.wikipedia.org/ wiki/Identity_3.0

References 1. ‘Net Losses: estimating the global cost of cybercrime’. McAfee, Jun 2014. Accessed Jul 2015. www. mcafee.com/uk/resources/reports/

rp-economic-impact-cybercrime2. pdf. 2. Crawford, Douglas. ‘Huge rise in use of online privacy tools reported as fears of privacy erosion grow’. BestVPN. Accessed Jul 2015. www. bestvpn.com/blog/8518/huge-riseuse-online-privacy-tools-reportedfears-privacy-erosion-grow/. 3. Rainie, L; Kiesler, S; Kang, R; Madden, M. ‘Anonymity, Privacy, and Security Online’. Pew Research Centre, 5 Sep 2013. Accessed Jul 2015. www.pewInternet. org/2013/09/05/anonymity-privacyand-security-online/. 4. ‘Five new providers join flagship iden-

tity verification service’. UK Cabinet Office, 25 Mar 2015. Accessed Jul 2015. www.gov.uk/government/news/ five-new-providers-join-flagship-identity-verification-service. 5. ‘Identity Commandments’. Jericho Forum. Version 1.0, May 2011. Accessed Jul 2015. https://collaboration.opengroup.org/jericho/ Jericho%20Forum%20Identity%20 Commandments%20v1.0.pdf. 6. ‘Anonymisation: managing data protection risk code of practice’. Information Commissioner’s Office. Accessed Jul 2015. https://ico.org. uk/media/1061/anonymisationcode.pdf.

Managing your data risk: back to basics Chris Richter, Level 3 Communications Chris Richter

It is estimated that enterprises spent more than $70bn on security technology in 2014, according to an industry analyst, and are expected to increase that spend by nearly 10% in 2015.1 With such increased year-over-year expenditure, it would be easy to believe the enterprise sector is winning the battle against cyber-criminals. Wrong. Malware proliferation, network penetrations and data breaches continue to have an impact on organisations at an alarming rate and with increased consequences. The desire for access to company data is spurring a surge in targeted cyber-attacks each year. And these are becoming more sophisticated, with a growing number of hacker toolkits and black market trading sites for stolen data. In fact, in 2014, the average financial loss attributed to cybersecurity incidents was $2.7m globally, an increase of 34% compared to 2013, according to one analyst.2 In addition to the growing number of data breaches – where critical data can be stolen – the average time a hacker goes undetected inside a system is also on the rise.

Right posture It is easy to get carried away with focusing efforts on keeping up with the daily security threats, but in reality, security profes-

August 2015

sionals need to keep up with the basics and ensure security processes and procedures, also known as posture, are in place. The challenge for organisations is that the cost to implement cyber-security defence will continue to rise as attacks become stealthier and more difficult to combat. In a way, this increase in spending can also be a waste of money, time and resources. In terms of cyber-security, instead of spending more, businesses need to spend smarter. Organisations can actually spend less and improve their security if they invest it in the right places. Rather than throwing money at the problem, it is more important to take a step back and conduct a carefully thought-out risk assessment. This way, companies – most of which are drowning in invaluable data that cyber-criminals

potentially want to steal – can actually determine how best to secure their biggest asset: data. Without this basic step, it’s difficult to deploy the appropriate security measures for your organisation, hence spending smartly on securing the organisation is a better option. Once the risk management programme is in place, the IT team can begin to layer on the appropriate types of protection required. The type of security controls and the amount spent on those controls should be based on data value, its location, vulnerability, likelihood of breach and the impact of such a breach. There are six steps that organisations need to take as part of this assessment.

Understand the value and location of data assets According to research by one analyst, CEOs are focused on the value of big

Network Security

13

FEATURE

Average financial losses due to security incidents, 2013-2014. Source: PwC.

data and are partnering with IT executives who will purchase, manage and execute strategies based on their data.3 However, more often than not, data is a company’s biggest asset. Unfortunately, it can be very difficult to assign a value to it. Without establishing the value of a company’s data, it is nearly impossible to perform a risk analysis, which is an essential step in determining the best approach to securing that data. Data can also represent an organisation’s greatest liability. If data is not properly disposed of, the risks to an organisation, should there be a breach, can be devastating. A well documented cyber-attack on an entertainment powerhouse in 2014 saw hackers expose emails that dated back to 2008, according to one report. We should never assume our data is simply not of interest to cyber-criminals and thus has no value; most data is either an asset or a liability. It is important to not only understand the value of data, but also understand where it is being stored. This is especially true of large enterprises that have undergone several organisational restructures, or acquired other businesses and have therefore inherited IT infrastructures. Data tends to be scattered across a multitude of systems and is often housed in ‘shadow IT’ infrastructures that have not necessarily been approved inside the organisation. This only exacerbates the problem by making the application of proper security controls almost impossible. 14

Network Security

Understand your applications’ security Banks and large e-commerce companies have been early adopters of customer profiling applications, but they are not alone in utilising third-party applications as part of their day-to-day business operations. Payment processing, enterprise resource planning, e-commerce and customer relations management are just a few of the business processes that require third-party, and custom-developed, IT applications that are used every day by employees within an organisation. These applications have the ability to access and process data in many forms, from customer data to business-sensitive information. However, they are often custom products with a lot of the code written offshore and often without security in mind. They need to keep the software up to date and have a patching process in place. An assessment of all third-party and internally-developed assets is required to ascertain how many potential vulnerabilities there are through these pieces of software.

Audit architecture When it comes to IT infrastructure, the focus needs to be on simplicity. If too many technology processes are in place, the complexity of a system can become a risk. This is often the case when organisations buy technology and continue to layer

each new piece on top of the next. Like a house of cards, at some point, it will fall. Organisations that are moving their data to the cloud must discuss this process in a transparent way with their cloud provider in order to ensure the cloud architecture can legitimately secure the kinds of data being moved across. Understanding cloud security is becoming increasingly important as more than 50% of all data workloads are virtualised, according to one industry analyst.4 One of the least understood areas in the process of moving to the cloud is the middleware. Access to middleware is often via an Application Programming Interface (API), which in itself can represent cyber-attack vulnerabilities. As recent attacks on companies have shown, APIs are often the way in which criminals gain access to business data and cloud systems. Businesses must ensure the APIs they use are not open to these kinds of attacks, especially as they are potentially securing mass volumes of data from a number of organisations. As such, companies should take steps to audit their cloud provider’s own infrastructure also.

Understand the threats to your data Threats can be internal (employees, stakeholders) and external (cyber-criminals of various guises). It’s easy to say “it’s never going to happen to us”, but organisations must consider themselves as a target. As a business, it is essential to understand what could make you a target – for example, public announcements, contracts or customer information. Once these have been identified, the types of security measures needed can then be understood. Strong cyber-security measures have as much to do with process as they do with technology. We often see that organisations have implemented a patchwork approach to security architectures by deploying a number of boxes on the network with various threat level and alerting functionalities. This approach to securing data creates operational complexity, introduces vulnerabilities and creates additional ‘alert noise’ that security teams must triage to discover events worthy of investigation.

August 2015

FEATURE

Fear the hacker, not the auditor A data breach can be more damaging in the long term than a failed audit. Security is a process that goes beyond compliance, CIOs need to move beyond the mentality of buying technology for technology’s sake and begin buying more relevant systems and tools for their organisation holistically. There is a plethora of different security products available for enterprises that secure an organisation from different threats and at different levels. They range from DDoS attack mitigation to network and data security. Identifying which are best for your organisation is fundamental to ensuring the best measures are put in place.

Collaborate with service providers and peers Some controls are better suited for delivery by service providers, such as network-based controls, various managed security services, and risk and vulnerability assessments. It is important to take note of which security measures have been identified as the best fit for your business and utilise the right people to implement them.

To an extent, working with peers can also ensure that best practices are in place across the industry sector in which you operate. Of course, there are limits to the kind of data that can be shared, but providing metadata can ensure mutual benefits within the sector.

Conclusion There are no silver bullets here, but with the right processes in place, many of the data breaches we read about over the past year could have been avoided. The cyber-criminals are working together to discover, refine and share the most effective methods and strategies to attack your organisation and you need to do the same to fight back.

About the author As Level 3’s senior vice president of managed security services, Chris Richter is responsible for the company’s global managed and professional security services line of business. With 30 years of experience in IT, he has held a number of leadership positions in managed security, IT consulting and sales with several technology product and services organisations. He served most recently as vice president, managed security services at CenturyLink. For more

than a decade, he has assisted numerous IT organisations in adapting their premisesbased infrastructure risk management programmes and security controls to outsourced, virtualised and shared-infrastructure services. He has acted as both a board member and technical advisor for technology firms, and writes and speaks regularly about cyber-security, risk management and IT outsourcing.

References 1. ‘Gartner Says Worldwide Information Security Spending Will Grow Almost 8% in 2014 as Organisations Become More Threat-Aware’. Gartner, 22 Aug 2014. Accessed Jul 2015. www.gartner.com/newsroom/ id/2828722. 2. ‘Managing cyber risks in an interconnected world’. PwC, 30 Sep 2014. Accessed Jul 2015. www.pwc.com/ gx/en/consulting-services/information-security-survey/assets/the-global-state-of-information-security-survey-2015.pdf. 3. ‘Big Data’. IDG, 6 Jan 2014. Accessed Jul 2015. www.idgenterprise.com/ report/big-data-2. 4. ‘Cloud Computing’. Gartner. Accessed Jul 2015. www.gartner.com/technology/topics/cloud-computing.jsp.

Move to intelligencedriven security Ricky Knights, Cyberoam and Emma Morris, VCW Security Today’s disruptive enterprises are primed for unprecedented security challenges. The evidence is already compelling: cyber-attacks and network breach incidents are increasing in frequency, volume and complexity, reaching an alarmingly high level, drilling holes in the networks of the world’s top business corporations (Fortune 500 firms included) and government establishments. For CSOs and CISOs, the question to ask is, what has happened to next-generation firewalls and endpoint protection? The bevy of attacks, evolving threat landscape and growing malware mayhem only hint that more security breaches are inevitable. There is no easy fix available,

August 2015

nor can we pray to Zeus to help us with a ‘magical sandbox’ or cure-all panacea, and it would be unrealistic to expect that this situation will improve in the short-

Ricky Knights

Emma Morris

term. Existing security infrastructure at many organisations is undeniably porous and decades of poor design can’t be overhauled merely by applying a few patches.

Impeded visibility There are flaws in our security posture – many security gaps exist and most businesses do not understand their baseline

Network Security

15