Data Security; Are Your Company Assets Really Secure?

Is your data secure? Think again. Securing data is unlike any other corporate asset, and is likely the biggest challenge your company faces today. You may not see it, but almost all of your company's information is in digital form somewhere in the system. These assets are critical because they describe everything about you; your products, customers, strategies, finances, and your future. They might be in a database, protected by data-center security controls, but more often than not, these assets reside on desktops, laptops, home computers, and more importantly in email or on some form of mobile computing device. We have been counting on our firewall to provide protection, but it has been estimated that at least fifty percent of any given organization's information is in email, traveling through the insecure cyberspace of the Internet.

Digital Assets are Unique

Digital assets are unlike any other asset your company has. Their value exceeds just about any other asset your company owns. In their integral state they are worth everything to your company; however, with a few "tweaks" of the bits they are reduced to garbage. They fill volumes in your data center, yet can be stolen on a keychain or captured in the air. Unlike any other asset, they can be taken tonight, and you will still have them tomorrow. They are being created every day, yet they are almost impossible to dispose of, and you can erase them and they are still there. How can you be sure that your assets are really safe?

Understanding Physical Security Architectures

Physical assets have been secured for thousands of years, teaching us some important lessons. An effective security architecture uses three basic security control areas. Let's assume you want to create a secure home for your family; what would you do? Most of us started with the basics; doors, windows, locks, and perhaps a fence. Second, we rely on insurance, police protection, and we may have even purchased an attack dog or a personal firearm. Given these controls, you may have taken one more step to provide some type of alarm. Not trusting your ears to detect an intrusion, you might have installed door and window alarms, glass break sensors, or motion detection. You may have even joined the neighborhood watch program in your area. These are the controls everyone uses, and they are similar to the controls that have been used since the beginning of mankind.

Which is most important? Looking at the three categories of security controls used, the first consists of protective devices that keep people out; doors, windows, locks, and fences. Secondly, alarms notify us of a break-in. Finally we have a planned response control; the police, use of a firearm, or recovery through insurance. At first glance it may appear that the protective controls are the most important set of controls, but a closer look reveals that detection and response are actually more important. Consider your bank; every day the doors are open for business. This is true of just about every business, home, or transportation vehicle. Even the bank safe is generally open throughout the day. You can see it from the bank teller counter, but step over the line and you will find out how good their detection-response plan is.

Evaluating your Company's Approach

Now look at your digital assets; how are they protected? If you are like most organizations, your entire security strategy is built on protection controls. Almost every organization in America today has a firewall, but does not have the ability to detect and respond to unauthorized users. Here is a simple test; run a Spyware removal program on your system and see what comes up. In almost every case you will find software installed on your system that was not installed by an authorized user. In the past this has been an irritation; in the future, this will become the program that links uninvited guests to your data. Bruce Schneier, a well known security author and expert writes in his book, Secrets and Lies, "Most attacks and vulnerabilities are the result of bypassing prevention mechanisms". Threats are changing. The biggest threats likely to invade your systems will bypass traditional security measures. Phishing, spyware, remote access Trojans (RATS), and other malicious code attacks are not prevented by your firewall. Given this reality, a detection response strategy is essential.

It's time to review your security strategy. Start by asking three questions. First, which assets are critical to your business, where are they located, and who has access to them? Second, what threats exist? Determine who would want your data, how they might gain access, and where the possible weaknesses in your security architecture lie. Finally, how comfortable are you with your company's ability to detect and respond to unauthorized access. If someone wants access to your data, preventative measures alone won't stop them.

Begin planning a balanced security architecture. Start by adding detection controls to your prevention architecture. This does not mean simply adding intrusion prevention software (IPS), but rather creating a system to proactively monitor activity. Intruders make noise, just like in the physical world, and with proper event management, combined with zero-day defense technologies of IPS, network administrators can begin to understand what normal activity looks like and what anomalies might be signs of an attack. In a recent interview with Scott Paly, President and CEO of Global Data Guard, a Managed Services Security Provider (MSSP), Scott said, "Threats such as worms and new hacker techniques constantly morph, so the most viable model for optimum security is a blend of preventive and predictive controls based on analysis of network behavior over time". By balancing prevention, detection, and response, companies can defeat most of the latest hacker attempts.

David Stelzl, CISSP is the owner and founder of Stelzl Visionary Learning Concepts, Inc. providing keynotes, workshops, and professional coaching to technology resellers. David works with executive managers, sales people, and practice managers who are seeking to become market leaders in technology areas that include Information Security, Managed Services, Storage and Systems solutions, and Networking. Contact us at info@stelzl.us or visit http://www.stelzl.us to find out more.

In The News:

Hot Hardware
Number Of Bank Customers Affected By Security Breach Soars
Hartford Courant, United States - 15 hours ago
New York Mellon disclosed in May that the security breach affected 497333 Connecticut residents, most of them depositors of People's United Bank in ...
Security breach at bank hits 12M people: BNY Mellon records could ... TMCnet
Bank of NY Mellon says data breach now affects 12M CNNMoney.com
Bank of NY Mellon data breach now affects 12.5 mln Reuters
SC Magazine UK - Dark Readingall 49 news articles

dBTechno
iPhone Round-Up: Security Fix; Rogers Revamps Prices; AT&T ...
Washington Post, United States - 23 hours ago
Security Flaw and repair date: A recently discovered security flaw will be fixed by September, Apple ( NSDQ: AAPL) told Macworld today. ...
Network Security Apple Won't Fix iPhone Passcode Hole Until September CIO Today
Apple promises September fix for iPhone security flaw Macworld
Apple To Fix iPhone Security Flaw CRN
ChattahBox - eFluxMediaall 123 news articles

Tight Security, Festive Atmosphere Await Convention Travelers at ...
MarketWatch - 2 hours ago
A new pre-security Houlihan's opened this week in the Lindbergh Terminal Ticketing Lobby, near Checkpoint 1. The full-service restaurant is accessible to ...

Homeland Security Capital Corporation's Environmental Remediation ...
MarketWatch - 11 hours ago
an international provider of specialized technology-based radiological, nuclear, environmental, disaster relief and security solutions to government and ...

Proctor & Gamble outsources security to IBM, but keeping security ...
NetworkWorld.com, MA - 9 hours ago
"By teaming with IBM ISS, our objective is to both strengthen our security systems and improve the efficiency and effectiveness of our security operations," ...
Procter and Gamble Selects IBM Internet Security Systems to Help ... CNNMoney.com
Proctor & Gamble Taps IBM ISS For Cyber-Security Contract InformationWeek
Proctor & Gamble Chooses IBM ISS for Cyber Security IT Business Edge
Bizjournals.comall 18 news articles

ABC News
Communiques from the security front, sir
ZDNet UK, UK - Aug 28, 2008
... easy it was to break into the Nasa systems, or, to quote his dad when I spoke to them both outside the House of Lords in June -- "The security was crap. ...
Space station computer virus raises security concerns New Scientist (subscription)
The IT Security of the ISS Wired News
Ground Control To Major Tom: Check Your Laptop For Worms CRN
InternetNews.comall 216 news articles

Bank security guard is shot and killed in South LA
Los Angeles Times, CA - 15 hours ago
Two attackers wrested a handgun from a security guard at a Los Angeles bank Thursday, then fatally shot him with his own weapon, police said. ...
New info in security guard shooting case abc7.com
Bank Security Guard Shot, in Critical Condition After Robbery MyFox Los Angeles
Security Guard Shot Outside Bank Dies KTLA
Los Angeles Times - Los Angeles Timesall 6 news articles

Apple to Fix iPhone Security Loophole
InternetNews.com - 5 hours ago
An Apple spokesperson told Reuters via e-mail that Apple was aware of the iPhone security flaw and is preparing a software update to fix the flaw, ...
IPhone security flaw allows bypassing of password San Francisco Chronicle
Hold On To Your iPhones, Apple Says Fix On The Way CRN
iPhone Suffers From Major Security Bug eFluxMedia
CNET News - VNUNet.comall 41 news articles

Fixing Social Security
Washington Post, United States - 21 hours ago
25 editorial "Social Security on Ice" about Democratic presidential nominee Barack Obama's suggestion of a higher FICA tax on earned income of more than ...
We Cannot Tax Our Way out of the Entitlement Crisis American Enterprise Institute
Deficit Hawks Rain on Obama’s Parade CQPolitics.com
all 3 news articles

RNC security unprecedented in Minnesota
KARE, MN - 1 hour ago
Such a room has been set up just 27 times since 1998 when President Clinton created a category known as 'National Special Security Events. ...
Secret Service Command Center Readies For GOP Convention CBS News
Inside US Secret Service's Republican Convention Command Center FOX 9 News
FBI outlines role during RNC Worthington Daily Globe
all 13 news articles
security - Google News

Preventing Online Identity Theft

Identity theft is one of the most common criminal acts in society today. Criminals will... Read More

Identity Theft -- 10 Simple Ways to Protect Your Good Name!

Identity Theft is one of the most serious problems facing Internet users. Identity Theft is... Read More

How Can Someone Get Private Information From My Computer?

From the "Ask Booster" column in the June 17, 2005 issue of Booster's Auction News,... Read More

Be Aware of Phishing Scams!

If you use emails actively in your communication, you must have received various messages claiming... Read More

The 5 Critical Steps to Protecting Your Computer on the Internet

Spyware, viruses and worms... oh my!If you are connected to the internet, you need to... Read More

Criminals are Fishing For Your Identity

What is Phishing? In a typical Phishing attack, a criminal will send you an email... Read More

Hacking Threats and Protective Security

The 1998 Data Protection Act was not an extension to, but rather a replacement which... Read More

Securing Your Accounts With Well-Crafted Passwords

In the past I've never really paid much attention to security issues when it comes... Read More

Lottery Scam, What It is and how to Avoid It?

Internet scams and frauds are on the rise! The quantity of scam emails with various... Read More

Message Board Security Problems

Security leaks can be a big problem for any site using a message board. Hackers... Read More