Tag Archives: Data Security

Endpoint Detection and Response (EDR): Everything You Need to Know

pink and purple lights in a dark city

Endpoints are a favorite target of attackers – they’re everywhere, prone to security vulnerabilities, and difficult to defend. 2017’s WannaCry attack, for example, is reported to have affected more than 230,000 endpoints across the globe.

What is Endpoint Detection and Response (EDR)?

Endpoint detection and response (EDR) platforms are solutions that monitor endpoints (computers on the network, not the network itself) for suspicious activity. Coined by Gartner analyst Anton Chuvakin in 2013, EDR solutions focus on end-user devices – laptops, desktops, and mobile devices.

EDR solutions provide visibility and monitoring for suspicious activity like malware and cyberattacks on those end-user devices.

Why is EDR Important?

Every device that connects to a network is a potential attack vector for cyberthreats, and each of those connections is a potential entry point to your data. With the rise of BYOD (bring your own devices), mobile attacks and sophisticated hacking techniques have only increased your risk of data breaches.

EDR solutions help protect those points of entry into your network by monitoring your endpoints for many modern threats that anti-virus software is unable to detect.

EDR solutions can help monitor and protect against Advanced Persistent Threats (APT), which often use malware-free hacking techniques and security vulnerabilities to gain access to a network. Older anti-virus software is able to detect malware only when there is a matching signature, and is unable to determine that an attacker has access to a computer just by monitoring their activity.

Endpoint security is not just an enterprise tool: there are consumer versions of EDR out there these days as well. A few differences in how endpoint security differs for consumers and enterprises include:

  • Remote management and central storage:
    • Enterprises typically provide remote management options so security administrators can configure the appropriate settings. Each endpoint sends audit data to a central repository for audit and analysis.
    • Consumers don’t need the same centralized administration.
  • Auto-updates vs. distributed patches:
    • Enterprises need to adhere to change management processes, which requires the enterprise to distribute patches during those windows.
    • Consumers usually allow the EDR to auto-update per the vendor’s release schedule.

edr solutions map

9 Elements of EDR Solutions

Endpoint detection and response solutions can have a range of features – but there are a set of core elements that are essential to EDR:

  1. Console Alerting and Reporting: A role-based console that provides visibility into the organization’s endpoint security status
  2. EDR Advanced Response: Advanced analysis and response capabilities of EDR solutions, including automation and detailed forensics about security incidents
  3. EDR Core Functionality: The capability to detect and report on security threats and vulnerabilities on the endpoint
  4. EPP Suite: Basic functionality that was available in the previous generation of endpoint security software including anti-malware, anti-phishing, and anti-exploit capabilities
  5. Geographic Support: An EDR vendor’s capability to support a global enterprise – because information security is mission critical
  6. Managed Services: The EDR’s ability to feed data to a Managed Security Service or Managed Detection and Response vendor to further augment the security team’s capabilities
  7. OS Support: In order to be effective, an EDR needs to support all of the operating systems in use by your organization,
  8. Prevention: It’s not enough to simply detect a threat – effective EDRs need to provide preventative measures as well, to help mitigate and enable teams to take action.
  9. Third-Party Integration: A comprehensive data security strategy often requires integrating with multiple products: EDRs should have APIs or built-in integrations with other solutions to complement and deliver on a layered security approach.

Endpoint Security vs. Anti-Virus Software

As noted in the list above, anti-malware is still a key component of EDR solutions. Older generations of anti-virus software detect threats by a signature, needed in advance in order to be able to detect the malware. The next generation of EDR solutions includes predictive analysis and advanced threat detection to better protect users.

Additional features found in EDR solutions that are not included in traditional AV solutions include:

  • Malware removal based on matching signatures and analytics
  • Antispyware protection
  • Local firewall
  • Intrusion detection and intrusion prevention warning systems
  • Application control and user management
  • Data control, including portable devices
  • Full Disk Encryption
  • Data Leak Prevention
  • Application Whitelisting

While an EDR solution protects the endpoints on your network, they’re limited in what type of activity they can monitor and limited in what type of malware or cyberattacks they can detect. Varonis is designed to protect enterprise data from zero-day attacks beyond the endpoint – putting perimeter telemetry in context with file activity and user behavior from your core data stores.

Some behaviors that might look normal on an endpoint – a user logging in with a valid user and password, for example – wouldn’t necessarily raise a red flag with an EDR alone. However, that login event might be suspicious if it logs in from multiple locations within a short time. Varonis DatAlert and Edge analyze file activity, user events, and perimeter telemetry to identify abnormal behavior with added context: so that even seemingly harmless activity is considered in context to get the bigger picture.

See how EDR and Varonis can work together – click here for a 1:1 demo and see how a layered security strategy works in your environment.

What Does it Take to Be an Ethical Hacker?

how to be an ethical hacker

What do you think of when you hear the term “hacker”?

If you immediately envision a mysterious figure out to illegally access and compromise systems with the intent to wreak havoc or exploit information for personal gain, you’re not alone.

While the term “hacker” was originally used within the security community to refer to someone skilled in computer programming and network security, it has since evolved to become synonymous with “cyber criminal,” a change in perception largely due to portrayals in movies and in the media.

As such, the cyber community has developed several terms to differentiate malicious, illegal hackers (known as “black hat hackers”) from other cyber risk and programming professionals without malicious intent.

Read on to learn more about ethical hackers, or jump to our infographic to learn how to become one yourself.

What is a White Hat Hacker?

A white hat hacker — also referred to as a “good hacker” or an “ethical hacker” — is someone who exploits computer systems or networks to identify security flaws and make improvement recommendations. A subset of ethical hackers are penetration testers, or “pentesters,” who focus specifically on finding vulnerabilities and assessing risk within systems.

Unlike black hat hackers, who access systems illegally, with malicious intent and often for personal gain, white hat hackers work with companies to help identify weaknesses in their systems and make corresponding updates.

In many ways, white hat hackers are the antithesis of black hat hackers. Not only do white hat hackers break into systems with the intention of improving vulnerabilities, they do so to ensure that black hat hackers aren’t able to illegally access the system’s data.

Ten Influential White Hat Hackers

White hat hackers are the “good guys” of the hacking world. They exploit systems to make them better and keep black hat hackers out. Below are some of the most influential white hat hackers.

Tim Berners-Lee
One of the most famous names in computer science, Berners-Lee is the founder of the World Wide Web. Today he serves as the director of the World Wide Web Consortium (W3C), which oversees the development of the web.

Greg Hoglund
Computer forensics expert Hoglund is best known for his work and research contributions in malware detection, rootkits and online game hacking. In the past, he worked for the U.S. government and the intelligence community.

Richard M. Stallman
Founder of the GNU project, a free software project that promotes freedom with regard to the use of computers, Stallman is a prime example of a “good guy” hacker. Stallman founded the free software movement in the mid-1980s, with the idea that computers are meant to support cooperation, not hinder it.

Dan Kaminsky
A well-known figure within the cybersecurity world, Kaminsky is the chief scientist of White Ops, a firm that detects malware activity via JavaScript. He’s best known for discovering a fundamental flow in the Domain Name System (DNS) protocol that would allow hackers to perform widespread cache poisoning attacks.

Jeff Moss
Ethical hacker Jeff Moss served on the U.S. Homeland Security Advisory Council during the Barack Obama administration and co-chaired the council’s Task Force on CyberSkills. He also founded hacker conferences Black Hat and DEFCON, and is a commissioner at the Global Commission on the Stability of Cyberspace.

Charlie Miller
Miller, who’s largely famous for finding Apple vulnerabilities and winning the well-known Pwn2Own computer hacking contest in 2008, has also worked as an ethical hacker for the National Security Agency.

Linus Torvalds
Software engineer Torvalds created and developed the Linux kernel, which is the kernel which eventually became the core of the Linux family of operating systems.

Kevin Mitnick
Once one of the most notorious black hat hackers around, Mitnick became a white hat hacker after a highly publicized FBI pursuit landed him in jail for computer hacking and wire fraud. Today, he runs Mitnick Security Consulting, which performs security and penetration testing for companies.

Tsutomu Shimomura
White hat hacker Shmomura is best known for assisting the FBI in taking down Mitnick after the black hat personally attacked Shimomura’s computers.

Marc Maiffret
Now the chief technology officer at a leading security management company, Maiffret’s accolades include the invention of one of the first vulnerability management and web application products. He’s also credited with discovering some of the first major vulnerabilities in Microsoft software, including Code Red, the first Microsoft computer worm.

Get a Job as an Ethical Hacker

While the term “hacker” may not have the most positive connotation in today’s vocabulary, it actually encompasses a wide range of professionals with a number of motivations. To learn more about the different types of hackers — including how to become a white hat hacker — check out the full infographic below.

how to be a white hat hacker

Sources:
Malware Fox | Lifewire | Investopedia | MakeUseOf | Gizmodo | Business News Daily | SC Magazine | Payscale | PCMag | Pluralsight

60 Must-Know Cybersecurity Statistics for 2018

cybersecurity facts 2018

Cybersecurity issues are becoming a day-to-day struggle for businesses. Trends show a huge increase in hacked and breached data from sources that are increasingly common in the workplace, like mobile and IoT devices.

Additionally, recent research suggests that most companies have unprotected data and poor cybersecurity practices in place, making them vulnerable to data lass.

We’ve compiled 60 cybersecurity statistics to give you a better idea of the current state of overall security, and paint a picture of how potentially dire leaving your company unsecure can be.

Data Breaches by the Numbers

The increasing amount of large-scale, well-publicized breaches suggests that not only are the number of security breaches going up — they’re increasing in severity, as well.

  1. In 2016, 3 billion Yahoo accounts were hacked in one of the biggest breaches of all time. (Oath.com)Click To Tweet
  2. In 2016, Uber reported that hackers stole the information of over 57 million riders and drivers. (Uber)
  3. In 2017, 412 million user accounts were stolen from Friendfinder’s sites. (LeakedSource)Click To Tweet
  4. In 2017, 147.9 million consumers were affected by the Equifax Breach. (Equifax)
  5. According to 2017 statistics, there are over 130 large-scale, targeted breaches in the U.S. per year, and that number is growing by 27 percent per year. (Accenture)Click To Tweet
  6. Thirty-one percent of organizations have experienced cyber attacks on operational technology infrastructure. (Cisco)
  7. 100,000 groups in at least 150 countries and more than 400,000 machines were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. (Malware Tech Blog)Click To Tweet
  8. Attacks involving cryptojacking increased by 8,500 percent in 2017. (Symantec)
  9. In 2017, 5.4 billion attacks by the WannaCry virus were blocked. (Symantec)Click To Tweet
  10. There are around 24,000 malicious mobile apps blocked every day. (Symantec)
  11. In 2017, the average number of breached records by country was 24,089. The nation with the most breaches annually was India with over 33k files; the US had 28.5k. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  12. In 2018, Under Armor reported that its “My Fitness Pal” was hacked, affecting 150 million users. (Under Armor)
  13. Between January 1, 2005 and April 18, 2018 there have been 8,854 recorded breaches. (ID Theft Resource Center)Click To Tweet

Cybersecurity Costs

Average expenditures on cybercrime are increasing dramatically, and costs associated with these crimes can be crippling to companies who have not made cybersecurity part of their regular budget.

  1. In 2017, cyber crime costs accelerated with organizations spending nearly 23 percent more than 2016 — on average about $11.7 million. (Accenture)Click To Tweet
  2. The average cost of a malware attack on a company is $2.4 million. (Accenture)
  3. The average cost in time of a malware attack is 50 days. (Accenture)Click To Tweet
  4. From 2016 to 2017 there was an 22.7 percentage increase in cybersecurity costs. (Accenture)
  5. The average global cost of cyber crime increased by over 27 percent in 2017. (Accenture)Click To Tweet
  6. The most expensive component of a cyber attack is information loss, which represents 43 percent of costs. (Accenture)
  7. Ransomware damage costs exceed $5 billion in 2017, 15 times the cost in 2015. (CSO Online)Click To Tweet
  8. The Equifax breach cost the company over $4 billion in total. (Time Magazine)
  9. The average cost per lost or stolen records per individual is $141 — but that cost varies per country. Breaches are most expensive in the United States ($225) and Canada ($190). (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  10. In companies with over 50k compromised records, the average cost of a data breach is $6.3 million. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  11. Including turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill the cost of lost business globally was highest for U.S. companies at $4.13 million per company. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  12. Damage related to cybercrime is projected to hit $6 trillion annually by 2021. (Cybersecurity Ventures)

Cybersecurity Facts and Figures

It’s crucial to have a grasp on the general landscape of metrics surrounding cybersecurity issues, including what the most common types of attacks are and where they come from.

  1. Ransomware detections have been more dominant in countries with higher numbers of internet-connected populations. The United States ranks highest with 18.2 percent of all ransomware attacks. (Symantec)Click To Tweet
  2. Trojan horse virus Ramnit largely affected the financial sector in 2017, accounting for 53 percent of attacks. (Cisco)
  3. Most malicious domains, about 60 percent, are associated with spam campaigns. (Cisco)Click To Tweet
  4. Seventy-four percent of companies have over 1,000 stale sensitive files. (Varonis)
  5. Malware and web-based attacks are the two most costly attack types — companies spent an average of US $2.4 million in defense. (Accenture)Click To Tweet
  6. The financial services industry takes in the highest cost from cyber crime at an average of $18.3m per company surveyed. (Accenture)
  7. Microsoft Office formats such as Word, PowerPoint and Excel make up the most prevalent group of malicious file extensions at 38 percent of the total. (Cisco)Click To Tweet
  8. About 20 percent of malicious domains are very new and used around 1 week after they are registered. (Cisco)
  9. Over 20 percent of cyber attacks in 2017 came from China, 11 percent from the US and 6 percent from the Russian Federation. (Symantec)Click To Tweet
  10. The app categories with most cybersecurity issues are lifestyle apps, which account for 27 percent of malicious apps. Music and audio apps account for 20 percent. (Symantec)
  11. The information that apps most often leak are phone numbers (63 percent) and device location (37 percent). (Symantec)Click To Tweet
  12. In 2017, spear-phishing emails were the most widely used infection vector, employed by 71 percent of those groups that staged cyber attacks. (Symantec)
  13. Between 2015 and 2017, the U.S. was the country most affected by targeted cyber attacks with 303 known large-scale attacks. (Symantec)Click To Tweet
  14. In 2017, overall malware variants were up by 88 percent. (Symantec)
  15. Among the top 10 malware detections were Heur.AdvML.C 23,335,068 27.5 2 Heur.AdvML.B 10,408,782 12.3 3 and JS.Downloader 2,645,965 3.1 (Symantec)Click To Tweet
  16. By 2020, the estimated number of passwords used by humans and machines worldwide will grow to 300 billion. (Cybersecurity Media)

Cybersecurity Risks

With new threats emerging every day, the risks of not securing files is more dangerous than ever, especially for companies.

  1. 21 percent of all files are not protected in any way. (Varonis)Click To Tweet
  2. 41 percent of companies have over 1,000 sensitive files including credit card numbers and health records left unprotected. (Varonis)
  3. 70 percent of organizations say that they believe their security risk increased significantly in 2017. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  4. 69 percent of organizations don’t believe the threats they’re seeing can be blocked by their anti-virus software. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  5. Nearly half of the security risk that organizations face stems from having multiple security vendors and products. (Cisco)Click To Tweet
  6. 7 out of 10 organizations say their security risk increased significantly in 2017. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  7. 65 percent of companies have over 500 users who never are never prompted to change their passwords. (Varonis)Click To Tweet
  8. Ransomware attacks are growing more than 350 percent annually. (Cisco)
  9. IoT attacks were up 600 percent in 2017. (Symantec)Click To Tweet
  10. The industry with the highest number of attacks by ransomware is the healthcare industry. Attacks will quadruple by 2020. (CSO Online)
  11. 61 percent of breach victims in 2017 were businesses with under 1,000 employees. (Verizon)Click To Tweet
  12. Ransomware damage costs will rise to $11.5 billion in 2019 and a business will fall victim to a ransomware attack every 14 seconds at that time. (Cybersecurity Ventures)
  13. Variants of mobile malware increased by 54 percent in 2017. (Symantec)Click To Tweet
  14. Today, 1 in 13 web requests lead to malware (Up 3 percent from 2016). (Symantec)
  15. 2017 represented an 80 percent increase in new malware on Mac computers. (Symantec)Click To Tweet
  16. In 2017 there was a 13 percent overall increase in reported system vulnerabilities. (Symantec)
  17. 2017 brought a 29 percent Increase in industrial control system–related vulnerabilities. (Symantec)Click To Tweet
  18. By 2020, we expect IT analysts covering cybersecurity will be predicting five-year spending forecasts (to 2025) at well over $1 trillion. (Cybersecurity Ventures)
  19. The United States and the Middle East spend the most on post-data breach response. Costs in the U.S. were $1.56 million and $1.43 million in the Middle East. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet

There’s no question that the situation with cybercrime is dire. Luckily, by assessing your business’s cybersecurity risk, making with company-wide changes and improving overall security behavior, it’s possible to protect your business from most data breaches.

Make sure you’ve done everything you can do to avoid your company becoming a victim to an attack. The time to change the culture toward improved cybersecurity is now.

Must-know cybersecurity statistics

Insider Threats: A CISO’s Guide

pencils in a line and a red pencil higher

According to the recent Verizon DBIR, insiders are complicit in 28% of data breaches in 2017. Broken down by vertical, insiders are responsible for 54% of data breaches in the Healthcare industry and 34% in the Public Administration. Hacking (48%) and malware (30%) were the top 2 tactics used to steal data, while human error (17%) and privilege misuse (12%) made the cut as well.

insider threat statistic

What does it all mean? Insiders have capabilities and privileges that can be abused by either themselves or bad actors to steal important data – making a CISO’s job to identify and build a defense against all of those attack vectors even more complicated.

What is an Insider Threat?

An insider threat is a security incident that originates within the targeted organization. This doesn’t mean that the actor must be a current employee or officer in the organization. They could be a consultant, former employee, business partner or board member.

Anyone who has insider knowledge and/or access to the organization’s confidential data, IT, or network resources should be considered a potential insider threat.

Types of Insider Threats

So who are the possible actors in an insider threat?

First, we have the Turncloak: This is an insider who is maliciously stealing data. In most cases, it’s an employee or contractor – someone who is supposed to be on the network and has legitimate credentials, but is abusing their access for fun or profit. We’ve seen all sorts of motives that drive this type of behavior: some as sinister as selling secrets to foreign governments, others as simple as taking a few documents over to a competitor upon resignation.

Next, we have the Pawn: This is just a normal employee – a do-gooder who makes a mistake that is exploited by a bad guy: whether it’s a lost laptop or mistakenly emailing a sensitive document to the wrong person.

Finally, we have the Impostor: Whereas the Turncloak is a legitimate insider gone rogue, the Imposter is really an outsider who has acquired an insider’s credentials. They’re on your network posing as a legitimate employee. Their goal is to find the biggest treasure trove of information to which their “host” has access and exfiltrate it without being noticed.

Common Behavioral Indicators of an Insider Threat

How do you identify an insider threat? There are common behaviors that suggest an insider threat – whether digitally or in person. These indicators are important for CISO’s, security officers, and their teams to monitor, track, and analyze in order to identify potential insider threats.

behavioral indicators of an insider threat

Digital Warning Signs 

  • Downloading or accessing substantial amounts of data
  • Accessing sensitive data not associated with their job function
  • Accessing data that is outside of their behavioral profile
  • Multiple requests for access to resources not associated with their job function
  • Using unauthorized storage devices (e.g., USB drives or floppy disks)
  • Network crawling and searches for sensitive data
  • Data hoarding, copying files from sensitive folders
  • Emailing sensitive data outside the organization

Human Warning Signs 

  • Attempts to bypass security
  • Frequently in the office during off hours
  • Displays disgruntled behavior toward co-workers
  • Violation of corporate policies
  • Discussions of resigning or new opportunities

While the human behavioral warnings can be an indication of potential issues, having digital forensics and analytics is one of the most powerful ways to protect against insider threats. User Behavior Analytics (UBA) and security analytics help detect potential insider threats, analyzing and alerting when a user behaves suspiciously or outside of their typical behavior.

Fighting Insider Threats

A data breach of 10 million records costs an organization around $3 million – and as the old adage says, “an ounce of prevention is worth a pound of cure”.

Because insiders are already inside, you can’t rely on traditional perimeter security measures to protect your company. Furthermore, since it’s an insider – who is primarily responsible for dealing with the situation? Is it IT, or HR, is it a legal issue? Or is it all 3 and the CISO’s team? Creating and socializing a policy to act on potential insider threats needs to come from the top of the organization.

The key to account for and remediate insider threats is to have the right approach – and the right solutions in place to detect and protect against insider threats.

Steps for an Insider Threat Defense Plan:

  1. Monitor files, emails, and activity on your core data sources
  2. Identify and discover where your sensitive files live
  3. Determine who has access to that data and who should have access to that data
  4. Implement and maintain a least privilege model through your infrastructure
    1. Eliminate Global Access Group
    2. Put data owners in charge of managing permissions for their data and expire temporary access quickly
  5. Apply security analytics to alert on abnormal behaviors including:
    1. Attempts to access sensitive data that isn’t part of normal job function
    2. Attempts to gain access permissions to sensitive data outside of normal processes
    3. Increased file activity in sensitive folders
    4. Attempts to change system logs or delete large volumes of data
    5. Large amounts of data emailed out of the company, outside of normal job function
  6. Socialize and train your employees to adapt a data security mindset

It’s equally important to have a response plan in place in order to respond to a potential data breach:

  1. Identify threat and take action
    1. Disable and/or logout the user when suspicious activity or behavior is detected
    2. Determine what users and files have been affected
  2. Verify accuracy (and severity) of the threat and alert appropriate teams (Legal, HR, IT, CISO)
  3. Remediate
    1. Restore deleted data if necessary
    2. Remove any additional access rights used by the insider
    3. Scan and remove any malware used during the attack
    4. Re-enable any circumvented security measures
  4. Investigate and perform forensics on the security incident
  5. Alert Compliance and Regulatory Agencies as needed

The secret to defending against insider threats is to monitor your data, gather information, and trigger alerts on abnormal behavior.

The Varonis Data Security Platform identifies who has access to your data, classifies your sensitive data, alerts your teams to potential threats, and helps maintain a least privilege model. With the proper resources, CISO/CIO can gain visibility of highest risk users and gather the intelligence needed to avoid insider threats.

Is Your Biggest Security Threat Already Inside Your Organization?

Are insiders compromising your security

The person in the cubicle next to you could be your company’s biggest security threat.

The large-scale attacks we’re accustomed to seeing in the news — Yahoo, Equifax, WannaCry ransomware — are massive data breaches caused by cyber criminals, state-sponsored entities or hacktivists. They dominate the news cycle with splashy headlines that tell an all-too recognizable story: one of name-brand corporations vs. anonymous cyber villains.

We focus in outsider threats because they’re both terrifying and thrilling, and because they’re familiar. They often have a clear-cut storyline, one that we’ve seen before. But the hyper-focus on cyberattacks caused by outside parties can lead organizations to ignore a major cybersecurity threat: insiders already in the organization.

We’ve seen these threats before too: attacks of dramatic espionage from Snowden, Reality Winner and Gregory Chung — but insider threats aren’t always so obvious, and they pose a risk for organizations that don’t operate in the national security space. In fact, research suggests that insider threats account for anywhere from 60 to 75 percent of data breaches.

They’re dangerous for a number of reasons, including because of how much they vary: from rogue employees bent on personal gain or professional revenge to careless staffers without proper cybersecurity training, insider threats can come from almost anyone, making them a prime concern for businesses. Check out our full infographic to learn more about the motives and methods behind these types of threats.

Insider threats cybersecurity

Are you doing everything you can to prevent insider threats?

If you’re granting unnecessary internal permissions, lack an auditing system for high-risk people or sensitive data, or aren’t paying close attention to possible behavioral indicators of malicious activity, your organization is at risk. You’re more vulnerable than you think — assess your risk today to see what you can do to ward off threats that come from the inside.

Infographic sources:
U.S. Department of Homeland Security | 2018 Insider Threat Report | Digital Guardian | MetaCompliance | ITProPortal | IT Governance | Wired

What is Data Integrity and How Can You Maintain it?

data integrity hero

If your company’s data is altered or deleted, and you have no way of knowing how, when and by whom, it can have a major impact on data-driven business decisions. This is why data integrity is essential. To understand the importance of data integrity to a company’s bottom line, let us examine what it is, why it’s significant, and how to preserve it.

What is Data Integrity?

Data integrity refers to the reliability and trustworthiness of data throughout its lifecycle. It can describe the state of your data—e.g., valid or invalid—or the process of ensuring and preserving the validity and accuracy of data. Error checking and validation, for example, are common methods for ensuring data integrity as part of a process.

What is the Difference Between Data Integrity and Data Security?

Data integrity is not to be confused with data security. Data security refers to the protection of data, while data integrity refers to the trustworthiness of data.

Data security focuses on how to minimize the risk of leaking intellectual property, business documents, healthcare data, emails, trade secrets, and more. Some data security tactics include permissions management, data classification, identity and access management, threat detection, and security analytics.

Why is it Important to Maintain Data Integrity?

Imagine making an extremely important business decision hinging on data that is entirely, or even partially, inaccurate. Organizations routinely make data-driven business decisions, and data without integrity, those decisions can have a dramatic effect on the company’s bottom line goals.

A new report from KPMG International reveals that a large majority of senior executives don’t have a high level of trust in the way their organization uses data, analytics, or AI.

data integrity statistics

Only 35% say they have a high level of trust in the way their organization uses data and analytics. 92% are concerned about the negative impact of data and analytics on an organization’s reputation. What’s more, 62% of senior executives said technology functions, not the C-level and functional areas, bear responsibility when a machine or an algorithm goes wrong.

Organizations need to go through the motions of preserving data integrity in order for C-level executives to make proper business decisions.

Data Integrity Threats

Data integrity can be compromised through human error or, worse yet, through malicious acts. Data that’s accidentally altered during the transfer from one device to another, for example, can be compromised, or even destroyed by hackers.
Common threats that can alter the state of data integrity include:

  • Human error
  • Unintended transfer errors
  • Misconfigurations and security errors
  • Malware, insider threats, and cyberattacks
  • Compromised hardware

So how do you know when your data has integrity? You have to look at the following features:

Retrievability and accessibility – It’s important to have accurate data in the proper locations at the right time when anyone is working on projections, a deal, or presentation. Without proper and easy access and retrieval, it can be detrimental to the business, yielding the way for your competition to win.

Traceability –Today, you can trace every touchpoint you make with a prospect or customer. How? With a data point. The data can inform decision makers, highlight red flags, deficiencies, or limitations. Make sure these touchpoints are accurate.

Reliability – Having reliable, consistent business metrics against company goals and the competition is what will take an organization to the top.

How to Preserve Data Integrity [Checklist]

data integrity checklist

The data integrity threats listed above also highlight an aspect of data security that can help preserve data integrity. Use the following checklist to preserve data integrity and minimize risk for your organization:

  1. Validate Input: When your data set is supplied by a known or unknown source (an end-user, another application, a malicious user, or any number of other sources) you should require input validation. That data should be verified and validated to ensure that the input is accurate.
  2. Validate Data: It’s critical to certify that your data processes haven’t been corrupted. Identify specifications and key attributes that are important to your organization before you validate the data.
  3. Remove Duplicate Data: Sensitive data from a secure database can easily find a home on a document, spreadsheet, email, or in shared folders where employees without proper access can see it. It’s prudent to clean up stray data and remove duplicates.

Smaller companies without a dedicated staff will find that these tools can assist them clean up duplicate files on a hard drive or cloud.

For Windows Servers: Use the Data Deduplication feature to clean up cloned files. Also try the File Server Resource Manager to remove stray files.

  1. Back up Data: In addition to removing duplicates to ensure data security, data backups are a critical part of the process. Backing up is necessary and goes a long way to prevent permanent data loss. How often should you be backing up? As often as possible. Keep in mind that backups are critical when organizations get hit with ransomware attacks. Just make sure that your backups aren’t also encrypted!
  2. Access Controls: We’ve made the case above for input validation, data validation, removing duplications, and backups – all necessary to preserve data integrity. Let’s not rule a few popular data security best practices that can also lend a hand or two: access controls and an audit trail! Individuals within an organization without proper access and with malicious intent can do grave harm to the data. What’s worse, an outsider impersonating an insider can also be detrimental. Implementing a least privilege model – where only users who need access to data get access – is a very successful form of access control. What’s often overlooked is physical access to the server. The most sensitive servers should be isolated and bolted to the floor or wall. Only individuals who access should have an access key – ensuring that the keys to the kingdom are kept secure.
  3. Always Keep an Audit Trail: Whenever there is a breach, it’s critical to data integrity to be able to track down the source. Often referred to as an audit trail, this provides an organization the breadcrumbs to accurately pin point the source of the problem.

Typically, an audit trail has the following:

  • Audit trails need to be automatically generated
  • Users should not have access to or the ability to tamper with the audit trail
  • Every event – create, delete, read, modified – is tracked and recorded
  • Every event is also aligned to the user, so you know who accessed the data
  • Every event is time stamped so that you know when the event took place

Data Integrity Empowers Decision Makers

Not too long ago, it was difficult to collect data. However, today it’s no longer an issue. In fact, we’re able to collect so much data, the responsible thing to do is to preserve data integrity. That way, management can confidently make data-driven decisions that steer their company in the right direction.

Interested in more information on data integrity? Take a listen to our podcast with Ann Cavoukian on GDPR and Access Control or browse through our article on The Difference Between IAM’s User Provisioning and Data Access Management.

How to Respond to a Cyber Security Incident

How to Respond to a Cyber Security Incident

Every day another company is caught off guard by a data breach. While avoiding an attack is ideal, it’s not always possible. There’s no such thing as perfect security. Even if you’ve outsourced your IT or your data lives in the cloud, ultimately the responsibility for keeping your customer data safe falls on your shoulders.

In the unfortunate case that your company suffers a breach, you should be prepared to address it swiftly. To help, we created an easy to implement plan that outlines ways to proactively respond and recover from a cyber security incident.

Avoid

pexels-photo-30267-medium

Avoiding an attack is best whenever possible – but it’s just as important to have a cyber incident response plan in place in anticipation of an attack.

Take Inventory

What information is mission critical to your organization? Where does it live? How quickly can it be reinstated if it’s taken out in an attack?
Perform a complete audit of your systems, take note of the most important components, and track everything . Make sure you are not the only person aware of this document.

Pick a Team (or Two)

Now that you know what is most important, make sure all the relevant players are aware as well. Nominate one person as the IT owner in the event of a cyber attack. This individual needs to be readily available in case of an emergency, and equipped to manage the many internal technical components involved with recovering from a breach.  Nominate a second person to own the management of external needs of a breach – such as outreaching to public relations, getting in touch with the organization legal counsel, etc. Both of these roles are critical for a timely and effective response. Just to be safe – pick a second in command for both teams. After all, no man is an island.

Make a Plan

You know the data, you have the right people in place – now it’s time to develop an actionable plan and provide specific, concrete procedures to follow during a cyber incident. The procedures should address:

  • Who has lead responsibility?
  • How to contact critical personnel, and what data, networks, and services should be prioritized for recovery.
  • How to preserve data that was compromised by the intrusion and perform forensics to review for gaps in security and insights into the actual attack.
  • Who needs to be notified (data owners, customers, or partner companies) if their data or data affecting their networks is stolen.
  • When and what law enforcement will be brought into the picture, as well as any regulated reporting organizations.

Need a little more guidance? The California Department of Technology has a wonderful outline available online that is a great starting point!

Once developed, this plan should NOT live in a bubble. Make sure everyone on the team is aware and has read and reviewed. In addition, take time to appraise the plan every quarter for relevancy and update as necessary. Unfortunately, security is not static. Also, this is important; it should be tested PRIOR to an actual cyber incident. Tornado, zombie apocalypse or biblical flooding is NOT the time for a try-out.

Address

marketing-man-person-communication-medium

Despite all your planning, preparation, and good intentions – what happens if (when) you are struck by a cyber attack? First things first – implement your cyber incident plan as soon as possible. Take a critical assessment of the situation. Does it appear to be a malicious attack or a simple tech glitch or misconfiguration? Once you’ve determined intent (and it’s not good), it’s time to collect and preserve the impacted data, and put the rest of your plan into action.

Who You Gonna Call?

Shhh…it’s not Ghostbusters! You should already have this information in place and readily available in your cyber incident plan. Start your outreach right away and begin with your response owners and work your way down the line. For example, the “external” owner at your organization should notify law enforcement, possible victims and the Department of Homeland Security, if necessary. Overall, the best approach is transparency. No one wants to admit to a breach. However, hiding critical information or delaying notification can backfire. A good approach involves being as direct as possible, highlighting the known and promising a timely follow up on any unknown. As always, keep it simple and straightforward. Don’t make promises you cannot keep or address concerns that are not valid.

You Might Need a Professional

Sometimes an internal response team just isn’t enough. Fortunately, there are many third-party organizations that specialize in incident response and can help you navigate through the breach. The fresh set of eyes can look at the breach in a way internal staff – already vested in the company and outcome – cannot. They can help you discover exactly what has been accessed and compromised, identify what vulnerabilities caused the data breach, and re-mediate so the issue doesn’t happen again.

Verify, then Reinstate

Finally, verify that your backup data was NOT compromised. It would be “no es bueno” to restore your system using data that you believe is valid, only to discover that your backup was just as bad as your compromised data.

Action

people-new-york-train-crowd-medium

Even after a cyber incident appears to be under control, remain vigilant. Many intruders return and attempt to regain access to networks that they previously compromised. It’s possible that, despite your best efforts, a hacker could STILL find a way into your system. They are a slick, determined bunch.

Monitor & More

Continue to monitor your system for out of the ordinary activity. Invest in a software solution that utilizes User Behavior Analytics to recognize unusual behavior and notify prior to an actual attack. Varonis, for instance, will recognize and notify about both external and internal threats before irreparable damage can be done.

Just the Facts Ma’am

Once your organization has recovered from the attack, it’s time to thoroughly review what happened, and take steps to prevent similar attacks. What went well with the cyber incident response plan? What may need just a wee bit of tweaking? Assess the strengths and weaknesses of the plan, and determine what needs adjusting. Implement the changes. You’ll be glad you did if (when) you are attacked again.

React, Revise & Revisit

Protecting against a cyber incident is a full-time job. As ransomware evolves and the insider becomes a consistent threat, it’s important to continuously revise and revisit your Cyber Incident Response plan:

  • Keep your plan up to date.
  •  Have the right technology in place (including lawful network monitoring) to address an incident.
  • Hire legal counsel that is familiar with the complex issues associated with cyber incidents.
  • Make sure existing corporate policies align with your incident response plan.

A cyber incident is never something you want to face. However, being proactive and prepared will make a huge difference in your response.

Introduction to OAuth (in Plain English)

OAuth

We’ve talked about giving away your passwords and how you should never do it.  When a website wants to use the services of another—such as Bitly posting to your Twitter stream—instead of asking you to share your password, they should use OAuth instead.

OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.

This is a quick guide to illustrate, as simply as possible, how OAuth works.

The OAuth Flow

There are 3 main players in an OAuth transaction: the user, the consumer, and the service provider.  This triumvirate has been affectionately deemed the OAuth Love Triangle.

In our example, Joe is the user, Bitly is the consumer, and Twitter is the service provided who controls Joe’s secure resource (his Twitter stream).  Joe would like Bitly to be able to post shortened links to his stream.  Here’s how it works:

Step 1 – The User Shows Intent

Joe (User): “Hey, Bitly, I would like you to be able to post links directly to my Twitter stream.”
Bitly (Consumer): “Great! Let me go ask for permission.”

Step 2 – The Consumer Gets Permission

Bitly: “I have a user that would like me to post to his stream. Can I have a request token?”
Twitter (Service Provider): “Sure.  Here’s a token and a secret.”

The secret is used to prevent request forgery.  The consumer uses the secret to sign each request so that the service provider can verify it is actually coming from the consumer application.

Step 3 – The User Is Redirected to the Service Provider

Bitly: “OK, Joe.  I’m sending you over to Twitter so you can approve.  Take this token with you.”
Joe: “OK!”

<Bitly directs Joe to Twitter for authorization>

This is the scary part. If Bitly were super-shady Evil Co. it could pop up a window that looked like Twitter but was really phishing for your username and password.  Always be sure to verify that the URL you’re directed to is actually the service provider (Twitter, in this case).

Step 4 – The User Gives Permission

Joe: “Twitter, I’d like to authorize this request token that Bitly gave me.”
Twitter: “OK, just to be sure, you want to authorize Bitly to do X, Y, and Z with your Twitter account?”
Joe: “Yes!”
Twitter: “OK, you can go back to Bitly and tell them they have permission to use their request token.”

Twitter marks the request token as “good-to-go,” so when the consumer requests access, it will be accepted (so long as it’s signed using their shared secret).

Step 5 – The Consumer Obtains an Access Token

Bitly: “Twitter, can I exchange this request token for an access token?”
Twitter: “Sure.  Here’s your access token and secret.”

Step 6 – The Consumer Accesses the Protected Resource

Bitly: “I’d like to post this link to Joe’s stream.  Here’s my access token!”
Twitter: “Done!”

Recap

In our scenario, Joe never had to share his Twitter credentials with Bitly.  He simply delegated access using OAuth in a secure manner.  At any time, Joe can login to Twitter and review the access he has granted and revoke tokens for specific applications without affecting others.  OAuth also allows for granular permission levels.  You can give Bitly the right to post to your Twitter account, but restrict LinkedIn to read-only access.

OAuth Isn’t Perfect…Yet

OAuth is a solid solution for browser based applications and is a huge improvement over HTTP basic authentication.  However, there are limitations, specifically with OAuth 1.0, that make it far less secure and less user-friendly in native and mobile applications.

OAuth 2.0 is a newer, more secure version of the protocol which introduces different “flows” for web, mobile, and desktop applications.  It also has the notion of token expiration (similar to cookie expiration), requires SSL, and reduces the complexity for developers by no longer requiring signing.

Other Resources

Hopefully this was a good primer to get you familiar with OAuth so the next time you see “Sign-in with Twitter” or similar delegated identity verification, you’ll have a good idea of what is going on.

If you want to dive deeper in into the mechanics of OAuth, here are some helpful links: