Home » The Art of Data Protection
With a new world record set for the largest stockpile of breached records, there has been no more obvious time than yesterday to take a “Secure the Breach” mindset—positioning organizations and retailers for successful breach-mitigation and breach-resiliency. Data that is strongly encrypted and protected with two factor authentication renders data breaches ineffectual and raises the bar for hackers.
In 2012, Korean artist Psy was the first to reach over 1 billion views of his Gangnam Style video clip. Now, another single gang has crossed over the 1 billion count threshold, this time not with an entertaining video clip, but through the nefarious deeds of an anonymous Russian-based group of hackers and fraudsters stealing account records. As reported by The New York Times, using SQL injections, a common type of zero-day exploit, the group siphoned 1.2 BILLION password combinations and 500 MILLION email addresses.
Two important questions come to mind:
1) Assuming that the siphoned 1.2 billion passwords were available in plaintext, why were these records not secured using strong encryption and key management? This would have made the siphoned ciphertext unintelligible, as hackers would not have access to secured encryption keys, such as those living in hardware security modules (HSMs).
2) How many of the pilfered 1.2 billion password-protected accounts—be they financial, webmail, or government-issued—are also protected with strong two-factor authentication (2FA)? In an ideal scenario, the siphoned 1.2 billion compromised accounts would all be protected with two-factor authentication, rendering the hacker’s trove useless. Without having the user’s second authentication factor available—be it a mobile token, hardware token, or software token—hackers would perhaps win the breach-making battle, but would lose the data-exploitation one.
The silver lining in the ongoing saga of data breaches is this:
- First, 2FA protects against illicit access to online accounts, such as illicit access gained following a database hack. 2FA also reduces the risk of compromise to begin with, as fraudsters opt for the ‘low-hanging fruit,’ targeting sites, organizations and individuals who have yet to elevate their access security.
- Second, account data gained through such breaches, be it personally identifiable information (PII) or financial information, can be rendered useless by using the appropriate encryption and key management methods.
In addition to the above instruments, the information technology industry, SafeNet included, are working under the FIDO Alliance roof to prefect a universal specification for authentication that will allow us consumers to use a single strong authentication method of choice to secure all our accounts, whether they are enterprise-issued, webmail, e-banking or e-government.
As with any ongoing adversity, evolution is only a matter of time. Be sure to stay ahead of hackers by being prepared for a breach, and avoid contending with a breach aftermath. Check out the latest breaches, breach trends, and further analysis at www.breachlevelindex.com.
Mor AhuviaAugust 4, 2014, 09:30 am EDT
As you have read so far in this series, the evolution of online threats has led to a new approach to data security. This new strategy requires organizations to accept the ‘Secure the Breach’ message—that a data breach is not a matter of ‘if’, but ‘when.’ By assuming a breach will occur, organizations are encouraged to place safeguards around the data and keys and who has access to them. To round out this series, we will conclude with step 3 of this approach and discuss the best way to control access and authentication of users.
Data access points, such as network or application login pages, should be protected by two-factor authentication, while the data itself should be encrypted (both at rest and in motion) to ensure it remains confidential—even in the event that a hacker gains access to it.
While this may seem straightforward, the identity and access management landscape has been warped in recent years by sweeping changes in the IT environment. No longer confined to the boundaries of on-premises IT, data now resides in the data center, as well as in public and private clouds. So how can organizations control access to data throughout the new IT ecosystem? And how can they ensure that a leaked or hacked password doesn’t lead to a full-blown breach? (One such incident is recounted here – Bitly’s 2FA for Employees Brings Secure Cloud Access to the Fore.)
The first part of access control is ensuring that resources are only accessible by those users who require them to do their job. Applications used by the CFO may not be required by SysAdmins, for example. To simplify matters, group-based policies can be easily created, where applicable, to leverage existing user repositories, such as Active Directory or MySQL.
After an access policy is instituted, the next step is to elevate trust—ensuring that users are who they claim to be. This is accomplished by adding strong authentication, which adds a ‘something you have’ factor to the ‘something you know factor.’ Single-factor authentication, which relies on static passwords, does not protect against guessing, phishing, database hacking and traffic sniffing. Two-factor-authentication, however, offers dramatically improved security, and can be achieved using multiple technologies:
- One-time password (OTP) authentication
- Out-of-band authentication
- Certificate-based authentication (based on x.509 PKI certificates)
Other technologies, while not comprising ‘true’ two-factor authentication, also improve security dramatically. These include:
- Pattern-based authentication (see GrIDsure)
- Context-based authentication
The tricky part here is that strong authentication must be extended to ALL data belonging to an organization, not just the data residing within the enterprise perimeter. Such data may reside in:
- Cloud applications like Salesforce.com, Office 365, and DropBox
- VDI applications such as VMware, Citrix XenApp, and AWS EC2
- Web portals, such as OWA
A good access control strategy requires strong authentication to all these resources, in addition to the local network. To eliminate the hassle of using a different password for each resource, technologies such as Identity Federation can be deployed.
To learn more about how an advanced two-factor authentication solution can help you control access to your data—wherever it may reside—see our Business Drivers for Next Generation Authentication blogs.
Throughout this series, we have uncovered a multitude of reasons why organizations can no longer solely rely on a strategy of prevention through network perimeter security, as provided by IPSs, WAFs, and firewalls. Rather, they need to adopt a strategy of breach management, which requires them to ask:
- “Where is my data?”
- “Where are my keys?”
- “Who has access to my data?”
By addressing each area and incorporating these three steps into your data protection strategy, you can be sure your most sensitive data is safe in the event a breach does occur. To learn more, visit www.securethebreach.com.
Miss parts 1-5 of this series? Catch up on what you need to know about preparing for a data breach:
- Securing the Breach, Part 1 – Accept It, Then Protect It
- Securing the Breach, Part 2 – A Three Step Strategy to Breach Bliss
- Securing the Breach, Part 3 – No Rest for Data at Rest
- Securing the Breach, Part 4 – Risk in the Fast Lane for Data in Motion
- Securing the Breach, Part 5 – Cryptographic Keys: Why is Key Security So Important?
If you thought 2013 was the year of the data breach, look again. 2014 is on track to surpass 2013 (assuming the pace of data breach incidents continues on its current trajectory).
Halfway through this year there have already been more than 375 million (known) data records that have been either stolen or lost worldwide. That compares to the nearly 153 million data records lost or stolen during the same period last year. Last year, according to the Breach Level Index, there were more than 575 million data records compromised. This year, we could be on track to surpass 700 million data records.
How is this possible that breaches continue to grow in frequency and scale? If you look at the reports from industry analysts, like Forrester, companies are devoting greater shares of the IT budgets to security. And more of the security budget is being invested in network security, monitoring, malware detection and other perimeter security measures.
So, you would think if more is invested in security, why isn’t there a concomitant decline in data breaches? Maybe the answer is that the increased investments should be made somewhere else – namely on protecting the data itself instead of the perimeter. Shifting the security investment would ensure that when a breach does occur, that data itself will be protected.
Unfortunately, less than one percent of all 237 breaches during the second quarter were secure breaches where strong encryption or authentication solutions protected the data from being used.
If history has taught us anything, it is that walls are meant to be breached and that guards fall asleep during their watch. Think the Maginot Line or when Charlie Sheen’s character in Platoon falls asleep and lets the enemy surprise his comrades. Protecting the perimeter is no longer sufficient.
Data Breaches in Q2 2014 Infographic:
Some interesting things to note this quarter:
- There have been four consecutive quarters with a data breach of 100 million records or more compromised.
- 175,655,228 records were stolen in the second quarter. This equates to 1,951,724 records stolen per day; 81,321 stolen per hour; and 1,355 records stolen every second.
- The retail industry once again took the top spot in terms of data records stolen (or lost). For more on this, read our post, The Real Cost of a Retail Data Breach.
- Malicious outsiders are targeting businesses’ most critical records. They are responsible for compromising 99 percent of the records and 56 percent of the incidents this quarter, more than any other source.
- 76 percent of the total second quarter breaches originated in North America.
When I was growing up and found myself in hot water with my parents, there was nothing in the fallout – no punishment, no lost privileges – that compared to hearing my father use his go-to haymaker: “You broke my trust.” It was said quietly, but it stung and stuck with me for days the few times I was unfortunate enough to hear it.
In terms of information security, that’s the same message consumers are conveying to retailers involved in data breaches. But they’re doing it with their money.
Based on SafeNet’s Breach Level Index (BLI) Second Quarter Report, 83% of the data records stolen from April-June 2014 came from the retail industry. In all, the retail industry had more than 145 million data records stolen in the quarter.
So what? Breaches happen, customers are notified, passwords are reset, and in no time the retailers can go about conducting business as usual, right? That’s not how it works anymore, as SafeNet’s new Global Consumer Sentiment Survey shows.
Of the 4,500 adults surveyed in the U.S., U.K., Germany, Japan, and Australia, 37 percent of respondents said they would never or would be very unlikely to shop or do business again with a company that had experienced a data breach involving personally identifiable information. Additionally, if financial data was stolen in the breach, that number of dissatisfied and potentially lost customers increased to 65 percent of respondents.
When you consider that the vast majority of records stolen in Q2 were attributed to retailers and these often make headlines, it becomes clear that these organizations stand to lose a great deal of consumer trust and revenue.
Discount retailer Target suffered financially after its front-page breach in Q4 2013, with profits that quarter down by 46 percent. But that’s not the end of the repercussions its dealing with after losing customers’ financial data. In the fallout, CEO Gregg Steinhafel stepped down, holding himself “personally accountable” for the breach.
For eBay, a Q2 2014 breach led to a decrease in user activity and forced the company to lower its annual sales targets by $200 million.
Sony is proposing a $15 million settlement to a class action lawsuit filed against the organization after a 2011 breach of its PlayStation Network exposed tens of millions of user names, addresses, passwords and credit card numbers
The financial repercussions of the breaches already discussed don’t even include the actual cost of the breaches themselves. In the case of StubHub, for example, a recent breach in which hackers used the preexisting payment card information in customers’ accounts to purchase and resell tickets defrauded the company out of $1 million.
Regional organizations can be equally appealing targets. In Q2, hackers stole more than 600,000 customer details from Domino’s Pizza France and Belgium, demanding 30,000 Euros in exchange for not releasing the information publicly.
Based on the Global Consumer Sentiment Survey findings, the costs that result from lost business could be significant for both organizations.
Today, a breach isn’t just an IT or PR problem. It’s not just something for information security professionals to be concerned about. A breach is an organization-wide business problem, and a very serious one for retailers.
In addition to the costs resulting from a loss of customers and the breach itself, there’s also a great deal of time and money that must be invested in addressing the vulnerability that opened the door to the breach in the first place.
Unfortunately, in most instances, there’s a lot of work to be done after the breach because enough steps weren’t taken before it. Supporting that argument, the Breach Level Index also found that strong authentication, encryption, or key management solutions were used in only two of the 237 data breaches reported in Q2 2014.
Seeing the long-term business repercussions that come with a data breach, more organizations need to take those data security measures to minimize the customer losses that will come when a breach ultimately occurs.
To learn more about these measures, read our Secure the Breach Manifesto. Plus, be sure to check out our new Q2 2014 Breaches Infographic for all the need-to-know stats about the quarter’s stolen data records.
Wendy Nather, 451 ResearchJuly 29, 2014, 09:30 am EDT
At the SafeNet partner summit last month in Orlando, I got to see many issues being discussed, including some of a transformational nature. Anyone who has seen Tsion Gonen speak knows that he doesn’t back away from transformation – if anything, I think transformation is a little intimidated by him.
But transformation has already been here and left its calling card. Think about all the assumptions we used to make about the enterprise. Many of them are still rooted in the distant past, when there was one big mainframe in the data center, and you were issued a hardwired terminal to access it from your office. Part of the access control relied on your ability to enter the building and the fact that you were given the necessary hardware for access. And sad to say, there are still many long-running, critical systems whose security models are still based on those assumptions.
In this world of cloud, BYOD, and multi-contextual roles, authentication and access control have to transform. Both users and enterprises can use the same software for different purposes, particularly in the public cloud. Mobile is like the Other White Cloud: just as you shouldn’t have to care which server is holding your data, the server shouldn’t have to care what kind of endpoint you’re using to access it. Both ends of the transaction are blurring, and the enterprise perimeter as an innocent bystander has gotten stomped on.
Because of this abstraction of the enterprise, distinguishing personal data from business data has gotten very complicated. You can’t tell which is which by where the data is stored, how it’s stored, what device it was created on, what application was used to create it, what time of day it was created, where the user was when it was created, or even necessarily by the type of data itself. It’s now all about how the data is used; the enterprise is no longer something it has, but rather something it does. And it does it everywhere.
That’s not to say the enterprise isn’t nervous about it. In our data from 451 Research, security is the most often-named pain point for cloud computing, mentioned more than twice as often as the other ones. And those top issues in security are data privacy, access and control, auditing and compliance, and control of data. The twin themes of data encryption and authentication keep coming up over and over.
We need to solve these issues, but they may be getting worse more quickly than we can get to them. Securing data in multiple clouds is one thing, but what about the Internet of Things? (Or, as we say in Texas, the “Internet of Thangs.”) We will need secure, authenticated, encrypted connectivity among everything from refrigerators to light bulbs, and from cars to cows. No, I’m not kidding about the cows.
Between the Internet of Things and the cloud, control is being forced up the stack into the application layer, and data has become the final frontier. We need to abandon our old assumptions and create new tenets to keep up with transformation. As security professionals, our work isn’t going to get easier, but it’s sure going to get a lot more exciting.
Mor Ahuvia August 6, 2014, 01:56 pm UTC
Mor Ahuvia August 4, 2014, 09:30 am UTC
SafeNet July 30, 2014, 09:00 am UTC
Wendy Nather, 451 Research July 29, 2014, 09:30 am UTC
Sharon Ginga April 16, 2014, 03:32 pm UTC
Trisha Paine February 21, 2014, 09:54 am UTC
Mor Ahuvia August 6, 2014, 01:56 pm UTC
Mor Ahuvia May 9, 2014, 11:26 am UTC