Data security is an enormous topic. Surprisingly though, for all the media coverage, you never hear anything besides ‘[somebody] didn’t do enough’. But what is ‘enough’? What form does ‘enough’ take?
Like any type of insurance, data security costs. Whether those costs take the form of extra staff, training, custom code or products and services, you pay for the protections you implement. But unlike traditional insurance (property, health, etc.) the costs of mitigation often have no relationship to your potential loss.
With traditional insurance, a team of specialists (actuaries) performs highly complex analyses to assess risk and set a price that tries to strike a balance between the need to price competitively and the desire for profit. As a consumer you simply choose what you want to cover and for how much. With data security things are quite different. The cost of products or services often have no direct relationship to the potential for loss and your company’s loss potential itself is often very difficult to quantify.
You Must Become Your Own Actuary
This blog is the first in a three-part series describing how to properly assess your data security needs. Like buying any insurance, there is no reason to pay for protection you don’t need. Yet, your business can’t afford to leave significant risk on the table. To get all (and only) useful protection, you must become your own actuary, quantifying and prioritizing potential losses and then developing a plan to mitigate loss cost effectively.
In this series, part one covers sources of risk. Part two gives you an idea of the significant number of attack vectors possible. Part three talks about the mindset needed to design proper protections and how to look at the extent to which various protection types mitigate various risks.
The Key is Balance
Over protection not only incurs unnecessary monetary costs; protection schemes can cause the wheels of your business operation to grind to a halt. Under protecting data can result in the financial or competitive destruction of a company. To strike this balance, you must quantify your potential loss under numerous circumstances.
Assessing Risk: Quantify and Consider the Losses Your Business Could Suffer from Unexpected Access to Your Data.
- If data was misused such as being disclosed to your competitors, used to stalk, impersonate or steal from someone you have information about.
- Consider the cost of vandalism. That is, the destruction or malicious modification of data. In this category you must include modifications the perpetrator hopes will not be noticed.
- Be sure to include the impact to your business if a system outage or other downtime is required to deal with the impact of a breach.
- Consider more than customer or web data. Be sure to include email systems, source code management systems and any security systems you might have.
- Reassess regularly. The impact often changes over time.
- Assign a dollar amount to each type of loss so you can properly prioritize.
- Decide how much you can afford (not) to spend!
Assessing Risk: Who Wants Your Data?
Bank robbery. Embezzlement. Home burglary. Street mugging.
- As the largest bodies of high-value data become harder and harder to hack, smaller bodies or lower value data are seen as more cost effective to attack.
- Your proximity to a potential attacker increases your risk. Being ‘out there’ on the web puts you directly in many attackers’ neighborhood.
Panning for gold
- Even seemingly worthless data might be the target of an attack simply because it isn’t protected well and ‘might’ contain something of value.
- Systems with low protection can be:
- A playground for someone trying to understand or otherwise get experience in hacking with no specific target or goal in mind.
- A convenient testing ground for malicious activity being developed for eventual use against a more vigilant target.
- Hardware, software and even human failures (accidents), while rarely publicized, are a significant source of data loss. Not having a tested recovery plan can doom your data (and perhaps your company) even if nobody ever tries to hack your system.
Assessing access barriers
- Once access is granted, what barriers exist to prevent the spread of that access? In other words, how vulnerable is that access to being misused, subverted, divulged or stolen?
- Do you test the effectiveness of those barriers?
- Are passwords hard to guess, do people write them near at hand, etc.?
- Can someone get a password reset without passing a credible identification process?
- Do employees understand the company’s reliance on their role in data protection?
Assessing Risk: How Much Access Does Any One Person, Application or Credential Have?
- Knowing what data or functionality is exposed by each access path should determine the priority and strength of barriers needed against unauthorized use of that path.
- When a given access method exposes data or functional capabilities not actually needed by the grantee, it unnecessarily increases data risk by exposing more potential for loss.
- Can a credential or other access be leveraged to gain additional access? For example, can it decrypt encrypted data? Reset passwords with other permissions? Trace activity of other users or scrape memory? Can it place a script, software or procedure change in a place that will later be executed by a person or job with different privileges? Does it have any ability to create a back door that can be used after access is revoked?
Assessing Risk: Are Potential Breaches and Breach Attempts Investigated Thoroughly?
- When nobody looks into failed attempts, it leaves the attacker free to make stronger attempts.
- Since no system is completely invulnerable, catching an attacker before they succeed is your only hope to prevent an eventual breach.
- An attack attempt is often your only clue that a specific attacker, that must be stopped, actually exists.
- If 99% of all security alerts turn out to be innocent activities, then you still have a 2% attack rate because you were wrong about one of them being innocent.
A very small company with little or no private data may find most of the above issues not applicable, but experience has shown that every company has at least some data that warrants protection, if not from being divulged, then from being altered or destroyed.
In the next installment (part two), your mindset on attack vectors will be focused. Until then, be sure all your important data is being backed up, and more importantly, that you can successfully restore it! If your restores don’t work, you may as well just send me the money you spend on hardware, software and manpower to perform backups. I won’t throw it away.