Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

A defensive approach to staying in control of data security

Varonis Systems : 28 March, 2013  (Technical Article)
Rob Sobers of Varonis comments on the plain text password goof of GCHQ and the wider issue of staying in control of who has access to what data
A defensive approach to staying in control of data security

The mistakes of a novice, everyone makes them and even crafty old veterans can fumble the ball every once in a while.  In the field of data security, however, small mistakes can result in really big problems.

Recently, university student Dan Farrall reported that the job application website which GCHQ, one of the UK’s intelligence agencies, sends plain text passwords to applicants via email.

There are plenty of reasons why this is a ridiculously bad practice and can expose very sensitive information to the wrong people. It’s not just password security that’s susceptible to oversights or laziness or miscommunication, or whatever it is that exposes vulnerabilities. Often, we’re just an angle bracket away from SQL injection or a right-click away from global access.

The lesson here is that we cannot take security for granted.  Even the organisations you would assume are most equipped to secure your data may not have visibility of everything they manage.

It’s certainly not the case that password encryption is beyond the grasp of the partner of an intelligence agency like GCHQ.  In fact, in the majority of cases, there is a known solution for the security challenges we face.  But the volume of data we manage, the interconnectedness of our systems, organisational bureaucracy and, frankly, people make security much harder than it seems. This case in particular highlights the need to do a thorough check of your third party providers and their business practices, especially in the area of security.

We have to focus on the basic “blocking and tackling” if we stand a chance of becoming a culture of data security and privacy.

Here is a list of the top 5 things that can help both individuals and organisations begin to practice defensive driving in today’s world.

1 Without the ability to access and share information securely, almost every business process will be impaired. For individuals it’s not much different—imagine losing control of your Gmail account.

2 Once we learn to recognise the value of our information, we need to understand where it’s stored and how it’s shared. Information can easily be copied and replicated on many systems and in many formats.

3 Wherever we have assets that need to be protected, we need basic controls around them such as authentication, authorisation, auditing and alerting. These controls won’t stop all attacks but they’ll certainly stop most of them.

4 Once you’ve got the right controls in place for secure collaboration, people need to stick to them. Unsanctioned public cloud services or plain text password resets by third party providers are examples of what not to do. Unfortunately, services that the organisation doesn’t know about or approve of are entirely outside of organisational control and so is the information stored in them.

5 When information can’t be shared it has little or no value.  When it’s available to too many people or the wrong people, it’s a liability. Information is most valuable when it’s available to the right people and only the right people.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo