3 Ways to Protect Data and Control Access to It

Your company’s data is its crown jewels, and you must protect it all times. CIS Controls 13, 14 and 15 will help you.

 

Earlier we delved into disaster recovery and network security. Now it’s time to take a look at Critical Security Controls 13, 14 and 15, which cover data protection and access control. The Critical Security Controls are best practices devised by the Center for Internet Security (CIS), a nonprofit dedicated to improving cybersecurity in the public and private sectors.

A company’s data is its crown jewels, and because it’s valuable, there will always be people looking to get their hands on it. Threats include corporate espionage, cybercriminals, disgruntled employees and plain old human error. Fortunately, it’s relatively easy to reduce your potential exposure. It calls for protecting your data, using encryption and authentication, and carefully restricting access.

 

Critical Control 13: Data Protection

Do you know where your data is? A Voltage Security survey of nearly 300 IT professionals found that 48 percent didn’t even know which countries their data resided in once uploaded. Using cloud services and offering mobile device access is the norm now, and it delivers many business benefits, but we must take care to limit and audit data flow.

The most obvious first step is to encrypt your data at all times—in transit and at rest. Use popular cryptographic algorithms and evaluate on an annual basis to ensure your protection is still strong. You can refer to the National Institute of Standards and Technology (NIST) for recommendations and further information. If properly encrypted, even compromised data will be inaccessible to attackers.

Identify sensitive data, and take steps to ensure it’s always encrypted. Use monitoring tools to expose suspicious activity and unauthorized attempts to access data, and flag them. Do regular scans to ensure that no plaintext data is on your systems. Prevent write access, block file transfer websites and be vigilant for rogue connections.

 

Critical Control 14: Controlled Access Based on the Need to Know

Far too many companies don’t distinguish between sensitive data and publicly accessible information. If attackers gain entry through a weak link, then they essentially have the keys to the kingdom. Of 2,260 confirmed breaches, 63 percent leveraged weak, default or stolen passwords, according to Verizon’s 2016 Data Breach Investigations Report. If you don’t restrict access to data based on who actually needs it, then you are presenting a much larger potential attack surface.

Divide your data into categories, and make sure sensitive data is protected and can be accessed only by authorized employees who have a legitimate reason to access it. If sensitive data must be sent across less-trusted networks, make sure it’s encrypted. Use authentication to verify the person accessing the data, and create audit logs that can be scanned for suspicious behavior. Restricting data access strictly to what’s required for each job role is essential if you want to prevent a sensitive data breach.

 

Critical Control 15: Wireless Access Control

Wireless access is ubiquitous now, but the added convenience comes at a cost in terms of security. Attackers can potentially gain access without even having to gain entry to your building. It’s also alarmingly common for wireless attacks on traveling employees to result in data loss and sometimes infection that is carried back into the office. The BYOD trend has drastically increased the number of devices that could be usefully compromised from an attacker’s perspective.

You can clamp down on this threat by ensuring that every wireless device connected to your network has an authorized configuration and security profile. If you don’t know what the device is or who owns it, it doesn’t get access. The network should be scanned constantly to identify rogue access points or unauthorized devices and to expose attempted attacks.

In some cases, business hardware can be configured to block wireless access or to restrict it to authorized wireless networks only. Consider blocking the use of wireless peripherals, such as Bluetooth headsets, which can be very insecure. Always use encryption and authentication. Create separate virtual LANs for untrusted devices and make sure all traffic is filtered and audited.

 

Tighten up

It will take some time to classify your data and create a hierarchy of access based on job roles, but it’s a necessary foundation for data security. It isn’t enough to have a system to protect your data and restrict access; you must also continue to monitor and audit to identify weak spots and act immediately to strengthen them.

Don’t make it easy for attackers.

 

 

This article was recently published in NetworkWorld.
Image credit: Thinkstock

Join Towerwall at these Upcoming InfoSec Events

We will be attending, sponsoring and hosting the following InfoSec events this Spring / Summer. Join us!

 

Security BSides Boston 2016

Saturday, May 21 2016

bsidesbos_est1

Security BSides is the first grass roots, DIY, open security conference in the world! Security BSides is a great combination of two event styles: structured anchor events and grass-roots geocentric events.

Click here to register now!

 


 

ISACA New England Conference 2016

Tuesday, June 7, 2016

17b0b2d2231c49dd99e6b64a71ffa6ea

You are cordially invited to the ISACA New England Conference 2016! Please join us for an exciting day of speaker events, exciting conversation, and professional networking. The conference will be broken out into four tracks:

  • Information Security
  • Cyber Security
  • Governance Risk & Compliance
  • IT Audit

Click here to register now!

 


 

Information Security Summit 2016

Thursday, June 9, 2016

Please join us for the 2016 Information Security Summit. For 2016, our focus will be the review of the safeguards that organizations should use to mitigate advanced threats and protect their critical assets, focusing on the CIS Critical Security Controls.  Attendees will learn from our lineup of industry experts as they share their experience and knowledge in this special forum.

SecSumm_eviteNEW

Click here to register now!

 

10 Things I Know About… Ransomware Protection

10. Backup files every night.

If you can access yesterday’s files, then there is no need to pay to unlock them today.

9. Patch automatically.

Make sure operating systems software on all devices (phones, tablets, laptops) and browsers are patched automatically with security updates.

8. Update software.

Make sure your endpoints and network devices are running the latest antivirus and anti-malware software.

7. Use the toolkit.

Implement email and web security tools that analyze email attachments, websites and files for malware and can block potentially compromised advertisements and social media sites that could be infected.

6. Whitelist.

Deploy application whitelisting, which prevents unauthorized applications to be downloaded or run.

5. Replace passwords.

Use strong passwords and have users change them every 90 days. Do not re-use the old passwords.

4. Prevent infestation.

Segment your network using VLans, so an infection in one area cannot easily spread to another.

3. Watch attachments.

Don’t open suspicious attachments in emails, even from people you know. This will help mitigate risk.

2. Inspect devices.

Deploy Mobile Device Management (MDM) technology which can inspect and block devices which do not meet your standards for security (no client or antimalware installed, antivirus files are out of date, operating systems need critical patches, etc.)

1. Train your users.

People are the most vulnerable link in your security program, and you need to plan around them. You must implement user awareness training so employees are taught to not to click on email attachments or download files.

 

 

This article was recently published in Worcester Business Journal.