Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Data Integrity: The Core of Security

Data breaches at companies such as Target, Home Depot, Staples, Michaels, eBay, and Sony Pictures Entertainment are raising doubts about whether organizations are investing their security dollars in the right areas.

Data breaches at companies such as Target, Home Depot, Staples, Michaels, eBay, and Sony Pictures Entertainment are raising doubts about whether organizations are investing their security dollars in the right areas.

According to the Verizon Data Breach Investigations Report, 95 percent of data breaches are motivated by data exfiltration for material gain or corporate spying. Thus, it is questionable why we are putting so much effort into protecting the network perimeter rather than preventing data from leaving the organization or being modified. Considering the most recent data breaches, it appears that we’ve reached a tipping point that requires a new approach to information security which focuses on protecting the data itself, from the inside-out.

Companies spend huge sums of money every year to maintain a security perimeter designed to fend off cyber and insider threats. According to Gartner, worldwide spending on information security will reach $71.1 billion in 2014, an increase of 7.9 percent over 2013. Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Other Gartner figures show that in 2013, average budget allocations for information security were 5.1% of the overall IT budget, up 8.5% from 2012.

Data BreachesHowever, the majority of investments are aimed at bolstering traditional perimeter security defenses, which is a losing battle. The cyber-attack on Sony Pictures Entertainment is a good example. Hackers were able to extract extremely sensitive data (e.g., movies, email, social security numbers of employees, etc.) despite an arsenal of security tools being in place.

Undeniably, data is the prime target for attackers. Therefore, if we can prevent data from leaving the organization or being modified, protecting against network breaches becomes less critical. Unfortunately, data is often left unsecured. For example, a quick web search for “data breach and unencrypted data” produces thousands of results that illustrate how many organizations fail to protect the integrity of their data and don’t even encrypt sensitive information.

In fact, a study by the California Attorney General points out that millions of residents had their personal information exposed, but that more than half of these incidents would have been easily avoided if the breached organizations had encrypted their data. A survey of 5,000 senior IT managers conducted by market research firm B2B International supports these findings, revealing that 35 percent of organizations worldwide don’t use encryption to protect data.

This is the reason why more and more regulations and industry standards (e.g., COBIT 5, PCI DSS 3.0, FISMA) are mandating the concept of data integrity. Concerns over the lack of data encryption for instance have prompted New Jersey legislators to propose requiring health insurers to encrypt personal health data on all of their computers. The bill, A-3322/S-562, comes nearly a year after two laptops with unencrypted information were stolen from Horizon Blue Cross Blue Shield of New Jersey’s Newark headquarters.

If data is the end target point of cyber-attacks, what steps can be taken to implement a data integrity strategy to secure an organization’s most sensitive digital assets?

The objective of data integrity initiatives is to assure the correctness, completeness, wholeness, soundness, and compliance with the meaning of the authors of the data. In the context of IT security, the goal is to prevent accidental, deliberate and unauthorized removal, insertion, modification, or destruction of data in a database. So what are the baseline best practices that organizations should put in place?

Advertisement. Scroll to continue reading.

The first step is to classify data into categories that reflect the business need to protect them, such as “public”, “internal use”, “confidential”, and “top secret”. Unfortunately, data classification is often abandoned due to the manual efforts required to maintain the constantly changing classification states. However, emerging big data risk management systems come with so-called dynamic grouping capabilities that provide drag and drop capabilities to realign classifications and then propagate changes to all associated nodes.

Data classification will subsequently determine what data should be encrypted, which typically applies to all personal identifiable information (PII). Innovations in encryption technology over the past few years have eliminated many of its earlier performance and deployment roadblocks. Organizations should place special emphasis on developing well-documented and properly implemented encryption policies which should be applied to all sensitive data, wherever it resides and however it is transmitted.

Access control is the Achilles heel of many security programs, since practitioners have to balance data availability versus unauthorized data usage (e.g., theft, disclosure, modification, destructions). Meanwhile, hackers often target privileged users since their accounts provide a beachhead into the entire network. Therefore, strict enforcement of well-defined access control policies and continuous monitoring of access paths to ensure they are working as intended are essential for the success of data integrity initiatives. To assist here, organizations should consider deploying big data risk management systems to assess the organization’s risk posture, visualize the results, and prioritize remediation actions based on business criticality.

Last but not least, organizations should implement practices to certify uncorrupted data transmission. Worst case scenarios here include the manipulation of stock market data by cyber-attackers before it is publicly disseminated.

When it comes to information security, 100 percent protection in unattainable. However, by supplementing traditional perimeter defense mechanisms with data integrity principals, organizations can significantly reduce their exposure to Sony scale data breaches.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem