News & Commentary

09:25 AM
Deena Coffman, IDT911 Consulting
Deena Coffman, IDT911 Consulting

Keeping Security Within Reach

Data breach protection can be inexpensive, easy and effective.

Data security doesn’t have to be expensive or frustrating. It’s an axiom worth remembering. By thoughtfully designing a data security program, banks can greatly reduce the risk of data breaches without spending a lot of money or interrupting business. Most security incidents require very little effort on the part of the hacker. In the 2013 Data Breach Investigations Report released by Verizon, 75 percent of all breaches were considered to be opportunistic attacks. That means that in a majority of instances, even a modicum of effort may have been enough to stop a breach.


The first step in data breach prevention is ensuring your employees clearly understand that data security is a critical element of their jobs. Fortunately, good programs don’t have to be laborious. The process should begin during new hire orientation with some simple training. Let employees know what behaviors to avoid (clicking on suspicious links in e-mails, sharing login credentials with other employees, etc.), what a potential security incident would look like and what to do if they see suspicious activity. For maximum impact, it’s important that data protection not be a once-a-year, just-for-compliance sort of activity. Instead, the message should be communicated throughout the year in everyday conversations, and in follow-ups by management as employees are doing their daily work. It’s an inexpensive yet highly effective approach.


Implementing a policy that mandates strong passwords is another tactic that typically doesn’t cost anything, and doesn’t require complex technology in the backend infrastructure to have a powerful impact. Ideally a password is not found in the dictionary. Instead, it should be a long mix of letters (in both uppercase and lowercase) interspersed with numbers and symbols. Bank systems should also require that passwords be changed on a regular schedule, at least twice each year. A security audit should be conducted to confirm compliance with the policy, since research shows that employees won’t follow this practice if left to their own devices. A recent poll conducted by antivirus software maker ESET and Harris Interactive found that 45 percent of respondents admitted they only change their passwords once a year, while 16 percent said they never change them.


Antivirus software is a best practice, and it is hard to imagine an organization that does not have antivirus protection at the server and desktop. Many challenges facing today’s organizations revolve around applying the latest antivirus protection to mobile devices, as these also can fall prey to malware from links in email, Internet browsing and other activity that occurs while the device is separated from the protection of the network. Ensure that mobile devices pass an antivirus scan each time they are allowed to rejoin the network. Even systems that update automatically need to be monitored to see which updates do not complete successfully. Produce and review a report that verifies which devices have not updated, and remediate these devices as they return to the network.


Give employees the tools to encrypt any data that is moved outside the protections in place across the network. Secure e-mail transmissions with encryption, and provide encrypted USB devices for any documents that must travel with employees. Do not permit unencrypted documents to be loaded onto laptops with unencrypted drives that may be lost, stolen or accessed surreptitiously while employees connect to public WiFi in hotels, airports and coffee shops. Encrypting documents on mobile devices can go a long way toward preventing a data loss from becoming a data breach that requires notification. Encrypted USB drives are available that are easy to use, inexpensive, and even allow a company to remotely wipe the documents from the USB drive if it is lost or stolen.


At the administrator level, there are some additional no-cost or low-cost things that can be done to further protect your institution’s information. Be sure that IT and contract IT services using administrator account privileges limit the use of those access credentials to only the activities that require them. It’s easy and common for someone with administrator-level access to use an administrator account every day, but it’s a potentially dangerous practice and scaling back on how frequently it’s used is free. Monitor administrator-level usage and confirm the activity is logged to read-only media, so that in the event of a breach you are positioned to receive early alerts on suspicious activity and contain the damage. The log files will provide you with evidence on what was and what was not accessed, to allow your response to be tailored rather than broad and sweeping. Lastly, if anyone has administrator-level login credentials that doesn’t really need them, remove them. Account permissions should be audited monthly to confirm they align with assigned responsibilities and current employee lists. It is all too common for contractors with special access to complete a project, but their access to remain in place after they have moved onto another project.

Deena Coffman is Chief Operation Officer for IDT911 Consulting and Information Security Officer for IDentity Theft 911.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.