Earlier we delved into disaster recovery and network security. Now it’s time to take a look at Critical Security Controls 13, 14 and 15, which cover data protection and access control. The Critical Security Controls are best practices devised by the Center for Internet Security (CIS), a nonprofit dedicated to improving cybersecurity in the public and private sectors.
A company’s data is its crown jewels, and because it’s valuable, there will always be people looking to get their hands on it. Threats include corporate espionage, cybercriminals, disgruntled employees and plain old human error. Fortunately it’s relatively easy to reduce your potential exposure. It calls for protecting your data, using encryption and authentication, and carefully restricting access.
Critical Control 13: Data Protection
Do you know where your data is? A Voltage Security survey of nearly 300 IT professionals found that 48 percent didn't even know which countries their data resided in once uploaded. Using cloud services and offering mobile device access is the norm now, and it delivers many business benefits, but we must take care to limit and audit data flow.
The most obvious first step is to encrypt your data at all times—in transit and at rest. Use popular cryptographic algorithms and evaluate on an annual basis to ensure your protection is still strong. You can refer to the National Institute of Standards and Technology (NIST) for recommendations and further information. If properly encrypted, even compromised data will be inaccessible to attackers.
Identify sensitive data, and take steps to ensure it’s always encrypted. Use monitoring tools to expose suspicious activity and unauthorized attempts to access data, and flag them. Do regular scans to ensure that no plaintext data is on your systems. Prevent write access, block file transfer websites and be vigilant for rogue connections.
Critical Control 14: Controlled Access Based on the Need to Know
Far too many companies don’t distinguish between sensitive data and publicly accessible information. If attackers gain entry through a weak link, then they essentially have the keys to the kingdom. Of 2,260 confirmed breaches, 63 percent leveraged weak, default or stolen passwords, according to Verizon’s 2016 Data Breach Investigations Report. If you don’t restrict access to data based on who actually needs it, then you are presenting a much larger potential attack surface.
Divide your data into categories, and make sure sensitive data is protected and can be accessed only by authorized employees who have a legitimate reason to access it. If sensitive data must be sent across less-trusted networks, make sure it’s encrypted. Use authentication to verify the person accessing the data, and create audit logs that can be scanned for suspicious behavior. Restricting data access strictly to what’s required for each job role is essential if you want to prevent a sensitive data breach.
Critical Control 15: Wireless Access Control
Wireless access is ubiquitous now, but the added convenience comes at a cost in terms of security. Attackers can potentially gain access without even having to gain entry to your building. It’s also alarmingly common for wireless attacks on traveling employees to result in data loss and sometimes infection that is carried back into the office. The BYOD trend has drastically increased the number of devices that could be usefully compromised from an attacker’s perspective.
You can clamp down on this threat by ensuring that every wireless device connected to your network has an authorized configuration and security profile. If you don’t know what the device is or who owns it, it doesn’t get access. The network should be scanned constantly to identify rogue access points or unauthorized devices and to expose attempted attacks.
In some cases, business hardware can be configured to block wireless access or to restrict it to authorized wireless networks only. Consider blocking the use of wireless peripherals, such as Bluetooth headsets, which can be very insecure. Always use encryption and authentication. Create separate virtual LANs for untrusted devices and make sure all traffic is filtered and audited.
It will take some time to classify your data and create a hierarchy of access based on job roles, but it’s a necessary foundation for data security. It isn't enough to have a system to protect your data and restrict access; you must also continue to monitor and audit to identify weak spots and act immediately to strengthen them.
Don’t make it easy for attackers.
The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.
This article is published as part of the IDG Contributor Network. Want to Join?