Block Data Leakage at the Source
by Ian Kilpatrick - Chairman Wick Hill Group - Monday, 29 October 2007.
Companies now need to review how the risks to their organisations have changed, with regard to data confidentiality, and assess what the current dangers are. A risk assessment can be carried out and positive action drawn up to protect against the relevant threats. A key part of any programme will be to regularly communicate to staff that data protection is the responsibility of everyone in an organisation, and not just the IT team. It should also be re-iterated that any unauthorised access to or misuse of data by staff, whether it is non-malicious but done without authorisation, or whether it is done with criminal intent, is not acceptable.

High risk areas

Email

Email is a key area of risk for many organisations. The route for email over the Internet is via servers. Sending unencrypted emails is the equivalent of sending postcards by ordinary mail. They are easy to intercept and read, without the sender or intended recipient being any the wiser. There are actually companies whose business it is to use key word searching to find (to order) information for interested businesses.

The solution is to use email encryption which enables you to secure the communication and restrict read access to the named recipient only. There are a number of ways of carrying out email encryption which donít impact the business. For example, encryption specialist Utimaco has a system that enables you to send email as encrypted PDFs, readable by the recipient using a password. Other systems operate around PKI and the use of public and private keys. The common thread is that confidential information can be freely sent over the Internet, with the data secured by encryption.

If youíre emailing remotely, then VPNs can also have an important role to play. This is because VPN encryption will protect the confidentiality of your emails. This applies to both SSL and IPSec VPNs. So companies can require the use of VPNs by employees picking up email remotely. Similarly, VPNs use can be enforced for wireless users. If you donít want to encrypt all emails, you can just make sure you encrypt confidential emails. Encryption is also a good idea for confidential internal emails. As discussed earlier, the curiosity of some employees can get the better of them. Most administrators have access to email. Or access to internal systems may be gained by outsiders if access control is not secure enough.

Remote and laptop use

The DTI Survey 2006 found that 60% of companies that allow remote access do not encrypt their transmissions and that businesses that allow remote access are more likely to have their networks penetrated. Security is a particular risk when people are working away from the office either at home or while travelling. All remote access to head office applications should be done over encrypted VPNs (either IPsec or SSL) which as already mentioned, will protect data confidentiality.

Laptops are particularly at risk of theft or loss, disappearing from employeesí homes, cars, hotels, etc., etc. The cases of laptop theft quoted earlier, which exposed personal data, would not have been a problem if the companies concerned had encrypted the laptop hard disk. Thieves would have been unable to decipher the information on the laptops.

Wireless

Wireless computing is a particularly risky area, whether used in or away from the office. Without proper protection, using wireless is like broadcasting in open air for anyone to see. The original wireless security standard, WEP, is flawed and unreliable. The world record for cracking WEP, set in April 2007, currently stands at 3 seconds. WEPís vulnerability was demonstrated by recent problems at TJX, the parent company of TK Maxx, where the biggest loss of credit card data in history took place. Hackers stole 45 million customer records from the TK Maxx parent company, by breaking into the companyís wireless LAN. WEP had been used to secure the wireless network but WEP is one of the weakest ways of securing wireless and it didnít stand up to the attack. If the customer records had been securely encrypted, the customer data would have been safeguarded.

Spotlight

Leveraging network intelligence and deep packet inspection

Posted on 26 November 2014.  |  Tomer Saban, CEO of WireX Systems, talks about how deep packet inspection helps with identifying emerging threats, the role of network intelligence, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Nov 28th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //