Category: Data Loss Prevention
The Equifax Breach
The patching of the software led to the problems and the Equifax breach that occurred last year but it is not the sole reason. About 145 million customers were affected in total and it is considered to be a disaster for the IT security department of the company. The customers of the company are asking how the hackers moved the systems so smoothly.
This is a question that has been answered by the report published by the US Government Accountability Office or the GAO. This 40-page report provides in-depth study about the breach. The office is of the view that patching failure is not the only cause of the problem. Lack of reporting structure and the collaboration was the other reason for the issue. The other reasons also include lack of data governance and IT asset management.
It Is Time To Think About Data Leakages.
Do You Know Data Leakages Are?
Do you know all the possible ways to take information out of company so that no one would know? I’m sure that there are means and methods for data leakage despite security controls.
Let’s think about how can we control this process better.
First, it’s necessary to understand that there no absolute controls around security. Even if a USB port is blocked, it’s still possible to write some data to USB, if there is system that controls outgoing mails, then it’s still possible to use some trick that intruder might use to send out important data out of the company.
So how to manage information security policies to prevent possible data leakages? Let’s list all possible ways to prevent leakage. There are two general categories – active and proactive security. These terms are sometime hard to understand in real word, so let’s discuss another approach. There are means that will help to prevent the fact of information leakage, and there are means that will help to find out, if information was leaked. Both methods should be considered when building information security at your company.
How to prevent information leakage. First, it’s necessary to apply a security policy which will guaranty the access to the certain data only for trusted persons, in this way you will always know who has access to the data, so it is easier to find possible intruder and to control your employees.
Second, consider all possible ways for information to be stolen, such as sent out by email, copies by some employee, stolen by some spyware software, copies to the external drive, etc. Think about all possible ways and think about risks applied. Try to minimize the risk for the most important data.
Let’s list some possible security issues and the ways how we can get rid of them.
Keyloggers and other spyware software. Keylogger is a program that works in background, records all keystrokes and send out information to third-party. The good idea is to start with firewall, which will allow access to the internet only for a certain programs.
Intruder insider your company. Statistics shows that there are some in most companies. The bad news is that these people might produce more damage that all other attackers. Make sure you know about what employee do, what he or she keeps on his hard disk and all you do comply with privacy policy of your company.
Hardware that might be dangerous. There are software that allows to lock USB ports, there are software that allows to block access to any other writeable media, consider installing these tools on computers and user accounts which doesn’t need to use this functions during their work.
Finally, the key principle about fighting information leakage is to be proactive. You don’t need to wait until some information will be stolen, being a little paranoid will help to save your business. It’s easy to install and integrate into the security policy some audit measures, that will regularly check your company for possible security holes, it’s simple, but it will work.
The Do’s and Don’ts To Avoid Data Breach
No matter what size of data you have, it is always on the target of cyber crooks to be attacked. There is always the risk of Data Breach. Some months back in the current year, Yahoo Japan informed the users that they been hit by a hack attack in which they have compromised the information of about 22 million people. Earlier that incident LivingSocial an online daily dealing website revealed that unfortunately hackers have stolen the personal information of almost half a billion of the customers. These two attacks show how big the concern of online crime has become. There is no country, city, area or even an individual in the world that can claim that he or she has no threat to his or data for getting breached.
Continue reading “The Do’s and Don’ts To Avoid Data Breach”
Data Loss Prevention (DLP) demand is growing
Read Why Data Loss Prevention (DLP) Demand Is Growing
With the importance in data security escalating, there has been an increased demand for the earliest approaches to securing data, namely data loss prevention, say experts.
Data loss prevention (DLP) is a term used to describe software products and strategies that help a network administrator control what data end users can transfer.
According to Trevor Coetzee, regional director, SA and Sub-Saharan Africa at Intel Security, there has been a revival of the DLP market locally and growth globally – in both data loss and data leakage prevention requirements – due to new privacy laws being implemented by countries across the world.
Many SA organisations are investigating solutions in preparation for the privacy laws like POPI within the country, says Coetzee.
Moreover, the demand is also being driven by the growing adoption of cloud services, data going across public cloud services, and increased focus on the insider threat that many organisations face on a daily basis, says Coetzee.
“We are also encountering, unlike what we have seen in the past with emerging technologies and capabilities, that SA companies are adopting cloud strategies and technologies at a surprisingly fast rate.
“As a result, they are now looking for numerous security solutions which align to their strategy – including DLP solutions.”
Research firm Markets and Markets agrees, saying one of the major factors that have helped the DLP market to grow is the increasing focus of organisations towards meeting regulatory and compliance requirements and data saved on public and private cloud.
Apart from this, factors such as increasing data breaches and cyber attacks are boosting the demand for DLP solutions, it adds.
Darryn O’Brien, country manager at Trend Micro Southern Africa, says organisations are realising that their data is no longer just information, but an asset which should be protected from the outside world.
It is this awareness that is driving the need for technologies and processes like DLP to address the situation, he adds.
Perry Hutton, Africa regional vice president at Fortinet, says the flow of data transactions into and out of the data centre, between data centres, or that is used and stored on a wide variety of devices is increasing at a dramatic pace.
During this process, the nature of the data changes, and comprehensive data loss prevention strategy is needed to address these different states, adds Hutton.
DLP strategies need to include not only business sensitive information but personal client and employee information too, as the loss of this data can be just as damaging to a business, says O’Brien. “In short it needs to be holistic and embrace all aspects of the business.”
Are you considering the protection that your data demands?
ITSecurity.Org can help you with your DLP requirements
By Regina Pazvakavambwa
Data Protection 03/02/15
- Tivium Ltd (a green deal energy company with a registered office in North London) has been prosecuted for failing to respond to an Information Notice issued by the ICO. The fine was
£5,000 with a £120 victim surcharge & prosecution costs of £489.85. The company appears to still be trading (apparently based in the North of England) but its website indicates that it is closed to new customers. - The ICO has taken enforcement action against high street and online shoe retailer Office [Office Holdings Ltd, based in the City of London] after the personal data of over one million customers was left exposed due to a hacking incident. The reasons for the ICO action were:-
1. The ICO was informed on 29th May 2014 that a member of the public had hacked into an unencrypted historic Office database that was being stored on a legacy server outside the core infrastructure of the current website.
2. This individual had managed to gain potential access to personal data relating to over a million Office customers, including contact details and website passwords. However, the data controller has confirmed that it does not store customers’ bank details, so financial information was not compromised. Moreover, there is no evidence to suggest that the information accessed has been further disclosed or otherwise used.
3. Office explained that there were several technical measures in place to minimise the risk of such an attack, although the hacker managed to bypass these measures to gain access to the legacy servers undetected.
4. Office has also confirmed that whilst penetration tests were carried out on the new websites before migration, only a single such test was completed on the old system, the results of which were not concluded or recorded, due to the legacy system being in the process of being decommissioned.
5. Office has explained that removing the historic customer data from the database before migration to the new system was believed to add complexity and a material risk of data mismatches, operation downtime and customer disruption, so as to put the project at risk.
6. However, Office has since accepted that in hindsight, the risks of removing these details before migration were less than originally thought. As such, it would appear that the retention of this historic data, some of which may now be inaccurate, was over cautious and not strictly required.
7. Amongst other remedial measures taken by Office since the incident, the servers in question have now been decommissioned and a new hosting infrastructure is in place.
8. At the time of the incident, Office’s public facing privacy policy did not contain any specific reference to retention periods and no formal data protection training was provided to staff. Office has since confirmed that both these matters are being addressed and that new policies will be formalised early in 2015.
Electronic Marketing
- An eye care company has been formally warned by the ICO to stop sending out nuisance text messages or face further action. The ICO has served an enforcement notice on Optical Express (Westfield) Ltd, after over 4,600 people registered concerns between September 2013 and April 2014. The concerns about the unsolicited messages were reported to the mobile networks’ Spam Reporting Service indicating they had not given permission for the company to use their details for marketing [this is a breach of Regulation 22 (2) of the Privacy & Electronic Communications Regulations 2003]. The Glasgow-based business which has branches across the UK had been sending out texts that included details of a competition to win free laser eye surgery.
European Union
- Pinsent Masons (a UK law firm) has published an article in Out-Law news and guidance entitled “Data Protection Officers – will EU businesses face an obligation to appoint one? The article gives a useful summary of the proposed Rules with regards to these Officers in the EU Data Protection Regulation, giving a good summary of the Commission’s view, the Parliament’s view and the (current) view from the
- Under the Council’s plans, no organisation would be under an obligation to appoint a Data Protection Officer (DPO) unless required to do so under other EU legislation or the national laws of individual EU member states. Instead, the Council said organisations “may” appoint a DPO and go on to list conditions that organisations electing to appoint a DPO would have to conform to. Many of the conditions are similar to those supported by the Commission and Parliament. They include that the DPO can act independently
Data Protection
- Pinsent Masons (a UK law firm) has published an article in Out-Law news & guidance entitled “US to create new data breach notification rules”. They reported that the US president Barack Obama had stated that US businesses will be required to notify consumers within 30 days that there has been a breach of the security of their personal data.
- Pinsent Masons reported that the proposal is part of a package of measures president Obama said are needed “…to protect the identities and privacy of the American people. We’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused”
- Continuing with his Washington speech, president Obama stated; – “Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies – and it’s costly, too, to have to comply with this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late. So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days. In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans – even when they do it overseas”
- Clearly this new proposal will apply to Capita plc businesses (that process personal data) that are based in the USA. However, it will be interesting to see if these federal proposals help to ensure that Safe Harbour remains available to EU based businesses to transfer personal data to participating organisations in the USA. The future of Safe Harbour is currently under discussion between the European Commission and the US Department of Commerce.