Thursday, April 2, 2015

Limiting the impact of a Security Breach

Limiting the impact of a Security Breach

Every couple of days a new announcement is made in the media about some company being compromised because of information security failure. This failure could be related to numerous issues but usually all come back to some end user act that has caused this issue. This issue could be a mis-configured security settings, loss of company assets, lack of skilled security resources, lack of user education, lack of understanding of the risk, and even gross misconduct of an employee.

According to DatalossDB, a website that lists known breaches, since March 20, 2015 there have been 10 incidents. Out of those 10 incidents 6 have stated that the total records lost is around 161,685. This does not include the records compromised by Uber, Kreditech Holding SSL, Twitch and FINRA at the California Department of labor.

As a consumer there is little you can do to protect yourself from your information being compromised when an organization is breached and the information is stolen. There are things that can be done to lessen the impact, but depending on what was taken the impact will still be felt. For example the impact to your personal data will be greater if Personal Identifiable Information (PII) or Personal Health Information (PHI) is stolen than if username and passwords are compromised. Although if you are like the majority of people with an online presence than there is a good chance you reuse your username/password across multiple sites.

In order to protect yourself online as a consumer I would recommend the following behaviors

  1. Monitor your financial accounts for any unauthorized transactions
  2. Monitor your credit report regularly
  3. Practice password management
    1. Do not reuse your passwords across multiple sites
    2. Use strong passwords
      1. 13 Characters
      2. Special characters such as #$%^&)(!
        1. Try not to use them as the last character in the password
      3. Do not use dictionary words
    3. Use a password storing app
      1. Great to store complex passwords
      2. Still can be compromised
      3. Create a password & pin combination, store only password in the app
        For example, the password stored is C!gaRsR0k, and the pin is 1234. The complete password for the site is actually 1234C!gaRsR0k. This will still protect you if the application is compromised. If you use a different pin for each website than even reusing C!gaRsR0k you will not be at risk of other accounts being compromised
      4. Change your password regularly
      5. Do not store your password as a password hint on the site
    4. Use two-factor authentication when available
      This is similar to the example above about password and pin. Some websites offer this option as increased security. 
These wont protect you 100% of the time, but they will give you more security and allow to mitigate the impact quicker. 


In order to protect yourself online as an organization there is a lot that can be done to keep you out of the headlines. These include: 
  1. End users education, train your employees to be better stewards of your data. 
  2. Use Encryption when possible to protect PII, PHI and critical data
  3. Do not store passwords in plain text. 
  4. Use two factor authentication, if you are using Office 365, or Google this is free!
  5. Monitor and respond to your logs and alerts. 
  6. Verify configuration settings
  7. Hire a 3rd party to help secure your environment. 
  8. Understand your risk. 
  9. Compliance and regulatory requirements are more then a checkbox. 
Again following these steps wont protect you 100% of the time, but they will help defend your data and hopefully lessen the chance that you will end up in the media. 


Stay Safe, Stay Smokey

No comments:

Post a Comment