[BreachExchange] Throwaway security terms and the danger to businesses

Audrey McNeil audrey at riskbasedsecurity.com
Wed Mar 23 20:18:10 EDT 2016


http://www.scmagazineuk.com/throwaway-security-terms-and-the-danger-to-businesses/article/480969/

As the headlines continue to be filled with stories of sophisticated
cyber-attacks and high-profile data breaches, businesses are beginning to
realise that they could easily be the next victim

This is leading to increased investment in cyber-security – Gartner
predicts spending will reach US$ 108 billion (£76 billion) by 2019 – with
firms hoping that taking these measures will mitigate the impact such an
event can have on their reputation and bottom line.  The problem is that as
such news becomes more frequent, the industry is beginning to fall into the
common trap of using throwaway security terms.  When terms are used
incorrectly or with little thought for their actual meaning or scope,
businesses can be lulled into a false sense of security regarding the
cyber-security measures they have in place – putting them and their data at
risk.

‘End-to-end encryption' is one such term.  While the discussion around
encryption has intensified with the US and UK authorities' ongoing campaign
for the creation of encryption back-doors and the many security experts who
have responded with objections, the true scope of what end-to-end
encryption can be referring to is quite vast.  For example, almost every
vendor will implement basic HTTPS. It's easy and encrypts data in transit,
but messages aren't encrypted on either the sender's device or the
recipient's.  That means if either device is lost or stolen, the message
remains readable, a big problem if you're sending sensitive information.

At the other end of the spectrum, there's data-centric encryption.  This
encrypts data prior to it leaving the original device and being sent to the
server, and the recipient must prove their identity every time that they
wish to access the information.  Both examples have been known to fit under
the umbrella of end-to-end encryption but there's a huge difference between
them.  If the industry is using such a broad term to refer to the entire
spectrum, companies will believe that the services that they are using to
share vital data and sensitive documents are providing more security than
they really are.

The term ‘full audit trail' is another that deserves further scrutiny.
Lots of vendors say that they offer excellent audit-ability and, in the
face of ever-evolving data laws such as the upcoming EU General Data
Protection Regulation, it's a welcome claim.  In many respects, however,
when a security solution is taken offline it loses those audit
capabilities.  If documents are synced to a device which is then taken off
network, the business has no idea who that document is being shown or
forwarded on to; meaning a ‘full' audit trail doesn't exist at all.

Undoubtedly, there will always be times when documents need to be taken
offline, but there are also cases when they absolutely shouldn't, for
instance, government data that requires a high clearance level to view.  At
the very least, organisations need the ability to restrict sensitive data –
if appropriate – from being synced or downloaded.

The challenge of employees taking images of sensitive data is also one that
needs to be addressed.  It's incredibly difficult to stop someone taking a
photo of a screen other than through physical methods, but organisations do
have access to technology that can watermark documents. This distorts the
quality of the image and provides a visual way to trace leaks should one
take place.

‘Data sovereignty' is also frequently mentioned and, again, it deserves to
be pushed further under the spotlight.  If businesses trust their data to a
third party cloud provider, which many do, how their data is bounced around
between data centres isn't really known.  Without complete visibility of
where data is going, businesses have no clue as to what data regulations
are currently governing it.  While this may have less of an impact if data
is kept within the EU, businesses should worry when it goes further
afield.  For example, the EU-US Privacy Shield has given US firms a legal
pathway to transfer data across the Atlantic.  With the US' different data
regulations and Snowden's revelations, the data of EU businesses may have
been viewed by entities it wasn't intended for.

Another challenge of not being able to control data sovereignty is that
businesses may not know the level of security of a data centre, potentially
increasing the likelihood of a cyber-attack.

Businesses can use encryption to mitigate some of the risk of information
falling into the wrong hands.  While simple encryption now barely
represents a challenge for sophisticated hacking tools, more advanced
alternatives that integrate geolocation and key fragmentation are a much
more effective way of preventing snooping by the bad guys or even security
forces.  Geolocation enables businesses to see exactly where their data is,
empowering them to deny access if they believe it to be in a particular
country where accessing it could pose a risk.  Key Fragmentation means
business can choose to split a key into four, with all custodians needing
to be in agreement before the key can be issued.

Ultimately, it's the duty of the industry to scrutinise terms to the level
that they deserve and use them responsibly.  Companies too can no longer
take a laissez-faire and tick box approach and assume that they are
receiving the most advanced security.  Businesses must analyse how security
terms are applied and how they protect the business in the event of a
security attack; discovering exactly to what extent they are protected.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160323/18a3025a/attachment-0001.html>


More information about the BreachExchange mailing list