Lock The Door!!

By Calum Macleod ñ Cyber-Ark

You would think that at some point in time your children will reach the age at which you can reason with them, Iím hoping itís a year older than the oldest one is right now ñ none of mine have achieved this rarefied state yet so Iím still living in hope. For example take the simple concept of locking the back door before they leave the house and you would expect that they could understand the rationale. After all theyíve spent all these years watching their mother go back into the house at least twice just to double check that I did do it before I locked the front door. But somehow it seems that this concept is overly complex. Of course this is just one of a long list of what I consider apparently rational ideas that seem revolutionary to them such as ìslow down at speed camerasî, ìfill up the tank at least once a yearî, etc.. But if we dare enter one of the bedrooms that look as if a hurricane has just passed through it, we might as well have compromised national security.

Somehow it seems that the concept of treating other peoplesí property with the same care that you treat your own seems alien, even in the family. So I guess it should not come as a great surprise that other peoplesí sons and daughters are exactly the same. And every business is full of other peoplesí sons and daughters. So it only seems logical that somebody has to be mother in any business ñ double checking that the backdoor is locked.

As we discovered in a recent survey not only are backdoors left open but frequently although people know they are open they canít be bothered closing them ñ after all they might need access themselves at some point. More than a third of people interviewed admitted that they still had backdoor access to their old employersí data and a quarter of those interviewed knew that former colleagues could access ñ and yet they did nothing about it!! ñ My family would be proud of them!!

So how serious can a backdoor be? Well the recent example of a large global retailer who was ìhackedî for several months, maybe a couple of years, resulting in huge amounts of customer data going out the ìbackdoorî - they may never know just how much the lost ñ is clearly just the tip of the iceberg ñ unless the other 99.99% of those with backdoor access are only keeping their backdoor access out of some sentimental reason. One reason why one could suspect that it might have been a former employee is the quote from the company ñ ìWe believe that the intruder had access to the decryption tool for the encryption software utilized.î ñ Now either they are using the worst encryption tool ever invented in which case they have duty to name the supplier, or more likely somebody ìaccidentallyî managed to access the recovery keys ñ or maybe it was supposed to be encrypted. Like the recent incident with a UK bank, ìThe disk would usually be encrypted. Unfortunately, due to human error on this occasion the usual policy was not followed.î

What these two incidents point is that many organisations need to seriously address the issues of how to protect sensitive data, and how to control privileged access to systems. Simply encrypting sensitive data is of little use if those who manage the systems where the data is kept have uncontrolled access. Conversely, protecting the privileged password is all well and good but if the user can access highly confidential data, without leaving any trace, after gaining access to the password then it defeats one of the major purposes of protecting privileged accounts.

For example the Payment Card Industry (PCI) standard requires the protection of stored cardholder data, and restricting access to cardholder data by business need-to-know. SOX mandates that corporate management take responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. In other words, if you are staff are able to have unauthorised access to sensitive data once they have access to a privileged password then youíre only addressing half the problem.

That two major companies have made headlines is more an indication of the overall state of data security within organisations. No one would deny that both organisations have the means to deploy the best technology, the problem I would suggest is that they both appear to have placed to much trust in the integrity of staff, and where overly dependent on staff carrying out their responsibilities effectively. And despite the fact that the buck stops at the top, the first people who should come under serious scrutiny are the senior security staff whose job it is to ensure that these incidents do not happen.

Passwords ñ Protecting The Key
Passwords remain the primary key used to unlock access to business-technology systems. Passwords need to have limited use-life. System-level passwords, such as those used to gain access to networking equipment and server/application administration need to be changed regularly, and in some cases should be ìone-time-onlyî. All privileged or ìsuperî user passwords should be centrally maintained and managed. Basic employee passwords used to access business applications, computers, e-mail accounts etc., should be similarly recycled regularly. Despite widespread knowledge of sound password policy, many organizations still fail to adequately create, manage, and retire their usernames and passwords effectively.

Securing Data ñ Hiding The Family Jewels
Given the continuous news of lost backup tapes and unauthorized access to corporate databases, more attention needs to be given to the effective encryption of ìdata-at-restî. Encrypting stored data can be one of the most critical facets of an organizationís defence-in-depth strategy.

Securing data while it travels between applications, business partners, suppliers, customers, and other members of an extended enterprise is crucial. As enterprise networks continue to become increasingly accessible, with more and more organisations adopting an ìInternet Centricî model, so do the risks that information will be intercepted or altered in transmission difficult to manage.

This is the very essence of the Vaulting Technology. Vaulting Technology makes certain that an inevitable slip in an organizations security posture wonít result in stolen intellectual property, or having to inform customers that theyíre at risk of identity theft because their personally.
Today many companies are still exchanging highly sensitive data by couriers because the infrastructures they have in place have not addressed the protection of highly sensitive data. Itís a bit like having email but still relying on the Pony Express for the really critical stuff! Certain traditions are not worth keeping!!

There was a day when everything was committed to paper and locked in a secure vault or safe in the office. Nowadays everything is digital but it still needs to be locked away in a digital vault. After all somebody is bound to forget to lock the door sooner or later.