IT Briefcase Exclusive Interview: Data Breach Protection – Now Available for Small-to-Mid-Sized Organizations (Enterprises Too)
February 23, 2018 No CommentsFeatured interview with Linus Chang, CEO and founder, Scram Software
Virtually every day, another story is being told of a large, well-known and highly respected brand suffering from a data breach incident. If organizations that are viewed to be at the top of their industry – those you would expect would have the most highly experienced and talented IT professionals and the very best technology money can buy – cannot protect themselves from infiltration, what hope could small-to-mid-sized organizations possibly have? Today, I speak with Linus Chang, CEO and founder, Scram Software on this important topic.
1.) In your opinion, are data breaches a significant issue that is only getting worse? Is this true globally, or are there certain geographies more prone to it than others? Any verticals in greater danger than others?
When I look at things from the “outside in” in the same way a non-technical person would, I can only conclude that the IT industry has demonstrated the clear inability to keep confidential data confidential. The issue doesn’t seem to be bound by geography, or size of the organization. In three recent data breaches, 2/3 of Americans, 1/2 of South Africans and 1/2 of Filipinos have had their personal information breached – and we’re not just talking about a name and email address, but data that includes SSNs and other government-issued IDs, addresses and phone numbers, and for many citizens also their income, employment history, height, weight, health information, demographics, behavior, political persuasion, and even fingerprint data and passport numbers.
Are there any common threads here? Yes, it seems to me that there are two major causes that account for most breaches – human error, and hacking. Secondary causes include malware and malicious employees.
2.) Can you cite examples of recent real-world examples?
Of course, everyone knows about the Equifax scandal. Accenture and Deloitte suffered breaches. Some of the high-profile breaches happened because of hacking. However, two examples that are more perplexing are described below.
In 2016, the Australian Red Cross Blood Bank suffered a breach where the names, addresses and details of “at-risk sexual behavior” of 550,000 Australians were leaked when a 3rd party contractor placed a database backup on a public facing web server with no access control. Presumably this was an accident. Encryption was not used in this case.
In 2017, New York’s Stewart Airport suffered a data breach where 760GB of data, including TSA letters of investigation, employee SSNs, network passwords and 107GB of emails were leaked from backups of servers. The leak happened because the backups were stored on a NAS device, which by default had “cloud features” that allowed files on that device to be accessed from anywhere. The device had not been configured properly so anyone could have accessed all the files. Encryption was not used in this case.
3.) Traditionally, how have enterprises worked to combat data breaches? And, why haven’t they been able to be more successful?
First, let’s look at security breaches, because every data breach starts with a security breach. It’s incredibly challenging to prevent security breaches, because there are so many different attack vectors. It’s necessary to do so many things, but here’s a starting list:
– patch servers and systems
– ensure correct configuration all internet connected storage (e.g. cloud accounts, web servers, NAS) and implementation of access controls
– implement perimeter security – network firewalls
– implement password quality policies, disable old user accounts
– do network scans to look for vulnerabilities on the network, monitor traffic
– install and use intrusion detection systems, anti-malware, anti-virus, and so on…
– educate non-technical staff about common threats, such as phishing
– educate developers on security practices such as avoiding SQL injection attacks
Preventing security breaches is typically where most enterprises focus their efforts.
On top of preventing security breaches, a very important second step is to stop a security breach from escalating into a data breach by using encryption. As long as the encryption has been performed properly, with the keys stored separately to the data, this mitigates the effects of the exposure of data. However, only approximately 4% of data that has been stolen during a security breach is encrypted (and therefore rendered useless to the attacker).
Why haven’t enterprises been more successful? There are a range of reasons, but overall there is too much dependence on humans always doing the correct thing and never making mistakes. So many data breaches have been ultimately caused by human error – for example, forgetting to patch systems, misconfiguring systems and accounts, careless programming that lead to vulnerabilities.
4.) Does the “cloud” complicate matters? If so, how?
Back before the days of the Internet, how would you secure a document, like your tax return? Let’s say you put it in a locked filing cabinet, in a locked basement, in a house that had a locked front door, in a house that has a burglar alarm and the family dog. Anyone wanting to steal that document would have to be physically in the area, trespass onto your property, hope that your dog doesn’t bark and bite, disable the alarm, and then break through three layers of security… and know exactly where to look.
Nowadays with the cloud, people are uploading documents to the cloud, commonly to store offsite backups and to facilitate the sharing and transfer of data between parties. However, because it is so convenient to upload data there, security is often forgotten. Sometimes due to misconfiguration, there’s no security at all – allowing public access to data. Other times there’s one level of security, in the form of access level security, and once an attacker is in, they can download huge amounts of data at once. The attack can happen remotely, from a different state or country. We know that on average, 96% of breached data is unencrypted, meaning that the attacker can use the breached data with no further effort.
5.) How about small-to-medium organizations – if the enterprises still suffer, what hope can be provided to the smaller shops?
It’s not a lost cause at all. The good news is that SMEs will often have less data, and often they will have less legacy systems like mainframes running COBOL from last century. But with smaller budgets, the SMEs must look for the security mechanisms that will give maximum “bang for buck.” Remember there are two areas to look at:
– Preventing security breaches in the first place, and
– Preventing a security breach from escalating into a data breach
Our research shows that the best area to pursue is the second option. Strong client-side encryption will be very effective at creating a blanket safety-net for when access level controls fail. If implemented properly, an intruder that managed to bypass security control would have absolutely no idea what data they were looking at. To start, make sure hard disks are encrypted – full disk encryption is included in modern operating systems.
However, as most leaks and breaches happen from the cloud, good client-side encryption for data at rest in the cloud is also a must. At Scram Software, over the last 3 years we’ve been researching how to help SMEs implement secure encryption for the cloud, and unfortunately our research shows that encryption tends to be poorly understood and has a perception of being difficult to implement. It’s also easy to adopt the wrong kind of system that is not suitable for long term security of cloud data… and using the incorrect type can be as ineffective as taking a placebo. Unfortunately, some cloud providers confuse things by claiming they offer encryption which happens to be ineffective against many breach scenarios. To counteract these problems and clear the confusion, we put together a checklist of features that are essential for good safeguarding of cloud data: (https://scramfs.com/preventing-data-breaches-through-encryption/ )
In our experience, we have found the easiest way to implement strong encryption for cloud data is via a software based “encrypted file system” – which is a transparent encryption system that encrypts all files before they get uploaded to the cloud. For example, using the ScramFS encrypted file system, we’ve helped companies encrypt all their database backups before they get stored in the cloud, with virtually no change to their existing processes. It’s also remarkably cost effective, especially when compared to the costs of hardware firewalls.
Once encryption is implemented, I’d go back and find the biggest bang-for-buck in security breach prevention. Firewalls, network security and patching should be already done as part of good I.T. management. So in general, the areas for improvement are user education and training against social engineering attacks (such as phishing), adopting 2 factor authentication wherever possible, and educating users about strong passwords.
6.) What parting advice would you offer any sized organization seeking to deploy foolproof protection against data breaches?
It’s going to be hard to achieve total, 100% guaranteed protection, but by applying the 80/20 rule, some small actions can go a very long way. I would definitely make sure that when using the cloud to store and transfer data, there is more than one layer of protection because relying on access-level security alone is insufficient. Don’t be frightened by encryption; the very latest breakthroughs have made it very easy to integrate into existing processes such as backups and transfers, and even to integrate it into applications.