Data Breach – Threats from the outside
June 1, 2011 | By Damon Armour, IT Security Officer and contributing writer
Data breach is a popular topic this spring. Last month’s ITS article focused on the Epsilon data breach. In mid-April, Sony PlayStation Network/Entertainment suffered a major security breach affecting up to 100 million people, the ramifications of which are still playing out. Also in April, the Verizon Business Risk Team released the 2011 Data Breach Investigation Report. And in May, Ed Skoudis of the SANS Institute, visited ASU and presented Breach-zilla: Lessons Learned from Large-Scale Breaches.
Where are these breaches originating? What can be done to protect personal information? Can an individual feel secure knowing personal data is hosted by outside entities?
Where are these breaches originating?
In the case of Sony, it appears that two different events caused the breach of both their PlayStation Network and their Online Entertainment divisions. One event was a denial-of- service attack from a group called Anonymous who gained Sony’s focus while another group gained access to Sony’s customer data—including names, addresses, phone numbers, usernames, passwords, and payment card details. There is an ongoing investigation to determine how this security breach transpired.
In April, the Verizon Business Risk Team, a leader in data breach reporting, released the 2011 Data Breach Investigation Report, which included the U.S. Secret Service’s 2010 perspective. One key finding is that 92 percent of data breaches are from external sources—a 22 percent increase over the previous year’s findings. Verizon officials state that this figure represents a significant increase in external attacks rather than a decrease in insider threats. With the rise of external threats, the top sources of breach perpetration are hacking, malware, and physical security. Misuse cases dropped from the top spot because of the growth in external attack types.
More recently, ASU hosted Ed Skoudis of the SANS Institute; SANS is one of the largest and most trustworthy information-security-training companies in the world. Skoudis, an authority in the area of data breaches, gave a presentation titled Breach-zilla: Lessons Learned from Large-Scale Breaches. According to Skoudis, the greatest threat for data breaches comes from unintentional client-side exploitation. Client-side exploitation can result from a user opening a PDF attachment containing embedded malware or from clicking on a link to open an unknown website. Once the computer is compromised, the attacker is capable of exploiting information located on the infected PC or pivoting to other computers on the same network. One of the greatest risks is not the data located on the workstation, but the access the attacker can gain to a server by manipulating the workstation. Other areas of risk include peer-2-peer (P2P) tools that accidentally share sensitive information and remote access services from unsecured home computers.
What can we do to protect entrusted information and ourselves?
One of the most effective methods of limiting data breaches or exposure is to limit the amount of personal information individuals share. Provide only the essentials to external firms as well as to individuals. If you know a company already has your social security number on another form, there should be no need to replicate that information. In many cases, the form was never updated, and the information is not necessary.
In our workplaces, the phrase “need to know” is a vital concept in the maintaining of proper information security. Employees, in collaboration with their management, should limit the amount of information they work with each day. Each of us should ask, for example, “If only one piece of information is needed to perform the job, do I need access to all of this information?”
Another method used in limiting the threat of data breaches is to protect your computer from malware. Technology provides us with numerous tools to assist us in preventing malware infections. Yet, the best technology cannot provide 100 percent protection. Everyone is responsible for exercising caution when opening email attachments, clicking on URLs, installing software without proper approval, etc. By compromising one workstation, you could be compromising all data to which that workstation has access.
What if you have experienced a security breach like the PlayStation Network breach? If you have other online accounts that share the same password, change the password immediately. If payment information is tied to a Sony account, contact your financial institution and provide a new account number and/or place a fraud alert on your account. Finally, work with Sony to acquire credit-monitoring services to ensure your financial information is not being abused.
Can I feel secure knowing outside entities are hosting my data?
There is no clear answer to this question. Data breaches are terrible events that can leave millions feeling helpless concerning their personal information. Individuals need to demand better protection from the companies with which they do business. Yet that responsibility begins with the individual. The security and integrity of data is vital to the university’s business and to the reputation of the institution. The next time a story comes out about a data breach at a company, think of what can be done to prevent that from happening in our community.
Verizon Business Risk Team – 2011 Data Breach Investigation Report