Reducing the risk of unauthorized information disclosure
Motivating my thinking is yet another data breach.
This time, reported by Scotland’s Sunday Herald in an article:
Revealed: 8 million victims in the world’s biggest cyber heist
Target:
Best Western Hotels
What was lost:
Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.
According to Bill Brenner of SearchSecurity’s analysis of the 2007 Ponemon Institute study on data breach costs, the average cost of a data breach was roughly $200 per record.
The expected cost to Best Western: 8,000,000 records X $200/record = $1.6 billion dollars USD.
Now, none of this is rocket science.
Research on the cost of a data breach is published regularly, and most companies can easily determine their total number of potential records.
Looking at a bedrock equation of information security:
Risk = threat x vulnerability x cost
We’ve already got the cost, and it should be assumed that an organization like Best Western should expect the threat of being attack to be very high.
Last is the Vulnerability component. The vulnerability is the loss of personally identifiable information up to and including the loss of credit card data.
While an organization like Best Western may not be able to affect the threat and cost components, they sure can do a lot on the vulnerability front.
They can do that through a number of mechanisms, both technical and non-technical (insurance and whatnot), and hence reduce the total risk.
I’ll focus on a few simple things:
1) Determine what is the most costly data to loose
Certainly, does an organization need to maintain the credit card information of every patron after they have cleared their tab?
If so, should that data be encrypted?
And should access permissions be put in place that prevent bulk reads from the database account servicing the website?
How much non-credit card customer history information do you really need to use for business analysis?
If you don’t need more than 3 months of client data, then archive the rest off-disk.
The rule of thumb in this area, is that if the data isn’t critical for business operation, then get rid of it, securely!
2) Analyze insider access
Who/what, internally, has need-to-know access to the data?
How much access do they need?
Are policies, procedures and technical controls in place to prevent unauthorized access?
3) Analyze partner access
What partners have access to the data?
Exactly what data do they need?
Are they accessing the data using accounts that forbid unauthorized access to information they shouldn’t see?
What is the partner’s security policy for dealing with this information? Can you trust them?
4) Review policies, procedures, and do validation
Regular review of policies and procedures should be performed.
And most importantly, routine validation of the system should be performed.
A validation check should be a timed, and triggered event. It should be timed regularly to ensure that it actually happens. And it should be triggered by such things as: a new partner added; a DBA is terminated; a new contractor is hired…
5) Assume the worst will happen
Because it will.
Bill