Security breaches are occurring every day. The world will forgive you for thinking you have your antivirus, security software and all locks in place to protect you and your company. A companies data refers to all the companies digital asset, which includes company emails, voice mails, files and lots more.
What is a security breach? It is merely unauthorised access. You have a security breach in your house if strangers walk into your home and help themselves to your belongings. Some may force the lock (brute force), some may tailgate you into your house and hide, others may make a copy of your key and open your door.
The concept is similar for your data. Your application is the interface that gives you access to your data. When thinking about your companies digital assets, you will not only have to think about the security of your application; you also have to think about securing all steps that lead you to your application. Ideally, the company should carry all analysis long before deploying the application into a production environment.
Let us go back to your home security, if you have your gold stored in a safe in the wall of your study and put a picture over it. Do you lock the door of the room and leave the main house and gate wide open? No, you still have security in your home.
Let us look at some of the steps leading to the execution of an application:
- Turn on your computer or mobile device
- Log in to your computer
- Access your application that lives on your computer or
- Access application that lives in the cloud.
There may be more but I will address these simple steps in this writeup.When you turn on your computer, if in the past you had:
- Visited some strange site
- Used a USB key that someone gave to you for free
- Clicked on a link in an email
- Downloaded malware.
When you turn on your computer operating system boots up, one of the above processes may have installed malicious software to execute on boot. Some may capture your keystroke and use this to obtain your password—one gate down, now to the next. You now log into the application that gives access to your data. So what happens is that your invisible key logger now also has access to your data and you do not know it. Wow, now how do you know that there is a stranger on your system? You have to be actively monitoring to know.
Most social media sites will send the owner an email to say “you logged in from this IP is this you?”. These sites already have implemented security by default. For companies with legacy systems, this is not always the case. So they will never know unless they redesign their security framework. What if you are an application administrator and your password was hacked? Well, you are doomed. Unless you have a process that informs you when data over a certain number of rows have been retrieved and notifies you, you will not know. Or perhaps you have an algorithm that notices unusual pattern in your access and typing and sends you an email. Assuming the hacker does not get there first. Let’s face it the prominent hackers are not going to retrieve data row by row? They are going for your whole database or whole directory files and disk.
As part of your security framework for your company, you have to implement security for:
- data at rest and in transit
- monitor changes to files
- monitor changes to directories
- remove all unused applications
- change passwords regularly* avoid using default usernames and passwords, and that includes using your name as a username.
- Limit the number of times a user can try to log in
- Lock user out after x number of tries
- Force password change after x number of tries
- Encrypt your data by default
- Protect your users from themselves. Educate them on security matters
- Users should avoid clicking on links in their email. Check who it is sent from first.
This is by no means an exhaustive list, but it is a start. Check all gates to your systems and secure them.
*The frequency of password change should be assessed by individual companies. We now have GPU’s that allows hackers to run code-breaking algorithms quicker. Think of ways to break their tries.