DECODING DIAGNOSTICS
Data is incredibly valuable. Regardless of type, methodology of collection, or even purpose, data by its very nature contains some of the most valuable information about the subject which generates it. Accordingly, this data is exceedingly valuable, and must be protected.
The problem is that many organizations seem to think that protecting this data is a secondary concern to their business functions, or that “well enough” is an okay approach. This couldn’t be further from the truth.
The simple fact is that auditing your servers through constant use of diagnostics is perhaps the single most important practice that you can implement today.
The Value of Data
To really understand why this data must be protected, we need to talk about what makes data so valuable. It would seem that, with the various lacking security features resulting in massive hacks in the last few years, organizations seem to be missing a big piece of the puzzle when it comes to data valuation. There is, of course, the direct value – data can be sold to the highest bidder for whatever their nefarious or justified uses might be, and this is definitely a method of deriving value – but that’s an incomplete valuation.
Data is not just its direct value, but rather its indirect value. Social Security Numbers are obviously extremely valuable in this regard, allowing for people to pose as others, secure jobs, and even get loans, but there are some other items of data that are just as valuable, yet ignored.
Something as simple as your birth date, your dog’s name, special people in your life – these all form the contents of many people’s passwords. When this data is bought and sold, it can be combined to form a dictionary with which variations and scrambles can be tested against known online accounts, exposing bank, social, and other presences.
Going a bit more abstract, consider your browsing habits. Knowing where you go, what you do on those sites, and why you’ve gone there is hugely valuable. Forgetting for a moment that such data can be used to blackmail, threaten, and harass, there is the obvious added value of being able to market directly to you in such a way as to ensure a sale.
In fact, probably the best way to frame this value in an understandable way is to move it out from the virtual space and into the real world. We tend to be more lax about data in a digital form for some reason, likely because it’s a non-physical entity, but what if you had a physical item of identity stolen? What if you pulled out your wallet to pay for something, and noticed your ID card had been stolen. Would you be worried?
Most likely, your answer is yes – why, then, should this change when data is in the digital format, rather than the physical?
Auditing
Data is valuable – so how do we secure it? There are a variety of security methods, encryption standards, and solutions that make it possible to store this data in a secure way, but more often than not, people think of these as a set and forget proposition.
Honestly, that is perhaps more dangerous than if you had no security at all. Having a security system in place is a giant flag for anyone looking for valuable data, and improper configuration or adaptation to modern threats all but negates your solution.
Accordingly, auditing these solutions is vital to success. The following tips will help establish a proper auditing schedule and approach, thereby securing your data in the long term:
• Consider all data to be vital. Whether or not you see the value, treat your most minor data as if it were the personal medical history of the subject in question. You never know why an attacker needs an item of data, so treat each item as sacrosanct.
• Ensure you are keeping systems secure and up to date. Heuristic systems need time to “spin up” and establish a baseline, so ensuring this baseline has been established is vital. Likewise, signature-based systems must have current signature records, so update often.
• Test your system. Everything from hiring penetration testers to using automated systems can help to secure your overall network. Failing to check your network is like walking out your front door without looking to see if it’s locked – if you wouldn’t do that in your house, why would you do it with personal data?
• Understand the risks. Data is protected by a wide variety of legislation from HIPAA to the EU Data Protection Directive, and these protections come with hefty fines and punishments for failure to comply. Ensuring you understand the value of the data and the punishments for failures can help make you and your team comply.
Auditing Approaches
Thankfully, there’s a large number of approaches available for auditing. Developing a data audit plan should be the first step for any organization handling large amounts of data, sensitive or otherwise. When establishing this plan, a few key details must be considered.
What is the type of data you are handling? Is it medical in nature? Governmental? Each of these types of data have laws and regulations concerning their handling, and thus your auditing should consider not only the baseline security policy that is best for the type of data, but the legal implications of this protection. Ensuring compliance is not only a legal matter, but an economic one – failure to do so can cost in the hundreds of thousands of dollars per year, and can quickly take a small headache into a full blown migraine.
Another concern to keep in mind is your attack surface. Every server has a surface called the attack surface, or the range of appliances and devices which expose the data. For instance, if a server simply validates correct or incorrect data, such as whether a student attended a particular school, the attack surface is rather small, limited only to the server responding. If, however, the server stores banking information, then the attack surface expands out to every server which handles this data and the devices which request it, requiring substantially more security and encryption.
Finally, there must be a consideration of on-disk storage methods and technologies. Some solutions are more secure than others, but the real weaknesses often come from methodologies in application. Poorly formed database sanitation procedures can result in a simple attack that results in the destruction of your database, which can only be exacerbated by poor backup, rights management and other procedures. Accordingly, check how you do things, and check often.
Conclusion
Security is a constant cat and mouse game – there is no perfect solution, and there will always be new and stronger threats than the previous set. In the 1980’s and 1990’s, the kinds of attacks that we see today were unheard of, and in many circles, unthinkable. Security evolves, but it evolves in response to threats – you can never truly meet every security threat.
That being said, auditing your system constantly is the bare minimum you must do to ensure you can meet these threats, both current and future. Failing to do so is not a simple mistake – it’s simply negligent, and as such, can result in huge losses, in terms of public relations, economics, and legal responsibilities.