- Security TWENTY
- Women in Security
Cybercrime is no longer monopolised by elite criminals and no longer consigned to the dark web alone, writes Terry Ray, pictured, SVP at the data and app security product company Imperva.
Recent investigations indicate that hackers have become much braver and are now operating in the open, using popular apps to conduct illegal dealings. Criminals are now using consumer applications like Telegram and social media platforms to trade valuable personally identifiable data (PII) such as stolen payment card details.
Data is being stored in an ever-shifting array of locations and that widening landscape is creating more opportunities for the cybercrime ‘industry’. The exploding web application universe offers multiple new and vulnerable attack vectors that can act as a direct gateway to enterprise data. The widespread use of web applications for critical activities expands the potential attack surface available to the cybercrime industry, making it harder for companies to defend themselves effectively.
With that in mind, businesses have a duty to review their web application landscape and ensure the data passing over these systems is secure. One system backdoor or poorly coded component could lead to a major, organisation-wide breach – so it’s worth making the effort to get it right.
Why attack a web application?
Attackers keep looking for novel ways to extract information and send commands. By operating ‘in the open’, the traffic generated can be made to appear less suspicious and therefore less likely to be blocked.
As a result, to minimise the chance of data being stolen more co-operation is required between popular application platforms and security professionals, as well as an increase in consumer awareness. Underpinning all that is a need for better data-centric security – ensuring that personally identifiable information is secured wherever it moves, not just in its home database.
As soon as you input data into a web application – whether it be your bank, social media platform, shopping portal or whatever – it’s security and sometimes it’s use, is now out of your control. You’ve got to assume the data you put in will exist for the rest of your life. It becomes a question of privacy and trust – do the owners of the application really just keep your data for a certain amount of time? And more importantly, what happens if they’re hacked? Where does that information go? Do they sell or share that data with others, many do? Do they take responsibility when they hire others to maintain and secure your data, many don’t?
As a result of that risk, consumers and businesses should be very careful about what data they put on web applications. For consumers, if you wouldn’t want the World to know it, don’t put it online, and for businesses, investing in data-centric cybersecurity is a must.
The human factor
More often than not, however, breaches are a result of data owners themselves making a mistake. Every time you take on a service that makes your life easier, you also take on a bigger risk. We expect that the organisations with which we share our data are doing what their best to protect it, but in reality there is often far less scrutiny and awareness in place than most people would expect.
Regulation can help drive companies to establish best practice, but it only sets a low baseline rather than a high water-mark. Good security starts well above that benchmark. Unfortunately, most companies still can’t answer basic questions on where sensitive data is stored, who uses it and what was lost if there’s a breach. There needs to be an increased focus on data monitoring and depth of insight – you might know something’s gone, but do you know what was taken, how much and who took it?
How much do you think can be done given the statistic from IAPP (International Association of Privacy Professionals) that it still takes at least 2 weeks from the time of an incident occurrence through to discovery of that incident? We do better at home. How long does it take to know your house was broken into? Too many organisations collect private data, yet don’t treat it like the important asset it is to you. Data importance is relative and while regulatory compliance helps to build importance on private consumer data, most agree it doesn’t go far enough and still companies don’t spend additional budget taking security further than necessary.
The privacy question
At the heart of this debate is the question of privacy. How should companies walk the line between guarding personal information and ensuring their systems are used responsibly? More and more, the speed of business requires technical connections between companies. Financial services firms often allow access to various investment platforms, bank transfer mechanisms, partner banks, insurance, and other components of the FS industry. The same can be said for almost any major industry today. Consider even manufacturing with all of the modern automated supply chain logistics and partner networks and applications linked in the chain. Data must be shared between these entities and like the germs on a schoolyard jungle gym, so must the bad or varying security practices of each partner, creating risk within the ecosystem.
For companies that store personal data, there is a hefty burden of responsibility. Once private data’s been stolen, it’s gone – you’ll never get it back. The people you trusted to store your data are responsible for it. Once information has been taken, whether it’s used to buy a house or given to your doctor, it’s the fault of the business that allowed the breach to happen. As a result, companies in that position must ensure they protect the personal data they hold.
Private data is a living asset within a company, growing and moving as needed to support the business over time. Names and addresses might originally only be used for product shipments, then later used in a direct marketing campaign, then again later for customer reviews, and so forth. Data crosses functional corporate boundaries, possibly starting in shipping, then marketing, then customer success, etc, each with their own processes for privacy. The more touching hands, the more risk.
Data security begins with monitoring all access to all data. Many companies complain that, that is impossible. It’s not, but it might be expensive and may require some investment in people and technology. The problem of collecting massive amounts of data and its insecurity grew for decades without effective controls in place, so it makes sense that the right catch-up solution to this problem for major corporations may seem overwhelming. It doesn’t have to. Companies need to start somewhere, much like they did when they first asked for private data. Once the data security project begins, it too, should live, grow and move with the data.
The front end to data, web applications, are typically protected via web application firewall technology. This technology comes in many forms and has been available to companies for more than two decades. There is little excuse today for companies who fall victim to web application exploits.
On the back side of web applications, lives the data itself. Given the volume of data used today and the need to monitor it all, companies require the use of automation to support their teams protecting it. There are very few experts in the field of data security, so companies leverage machine learning and artificial intelligence in lieu of humans in the task of identifying bad behaviour within the massive volumes of utilised corporate data.
While the ways forward are well defined, many companies have grown beyond their ability to rapidly protect all of there data and application assets. This leads them to prioritise those systems that are most impactful to their business to protect first. This is somewhat admirable, but leaves other systems considered less important, exposed. Additionally, those systems that get prioritised often contain data that is only impactful to the business, like formulas and other intellectual property. The data left unprotected, while not impactful to the business, may be very impactful to you. Remember that the importance of data is highly relative to the individual or business.
This is the world we live in and while its changing slowly, my recommendation stays the same. Limit how much you expose yourself and your family’s data to the world. There are somethings you simply can’t avoid. We all need a bank account, doctor, etc … But there are many more places where its not worth the risk to share your data.