Information security has always been a hot topic in the IT industry, however in recent months the focus on this area has further increased. Whether due to national events such as the alleged hacking of the US election by foreign parties, international crises such as the WannaCry ransomware virus, or personal information attacks such as the latest PopcornTime Ransomware attack (which offers compromised individuals the chance to get their data back if they infect other parties with the virus), we’ve never had more data at greater risk than we do at the time of writing.
In general, we’re seeing the number of security breaches increase year-on-year, with a clear up-tick in breaches that are motivated by financial or espionage motives. While traditional hacking and malware attacks are rising steadily, so are more recent phenomenon such as social media attacks and breaches completed by exploiting senior individuals in organizations through their personal information. The variety of devices accessing sensitive data also broadens this threat landscape, with mobile devices becoming responsible for more and more breaches over time.
Due to these factors, the average cost of a data breach has risen to $4 million (a 29% increase over the last few years) and the cost per compromised data record has risen to a shocking $158. Clearly, it is now not a question of whether organizations can afford enterprise-class security, and more a question of whether they can afford not to.
Here at Cintra, we conduct some of the most comprehensive and holistic security reviews on the market, focusing on much more than just relational databases. Therefore, we felt it would be of interest to break down the primary focus areas of these assessments, and some items which are often overlooked in traditional security reviews.
Tiered Security Model:
Not every organization requires the same security controls as the NSA, and therefore we have established a simple tiered security model, with all of our customers achieving a foundation level of hardening and security at DEFCON3, adding further industry-specific and data-centric controls as we increase up to DEFCON1.
|DEFCON1||Secured in line with top security clearance standards.|
|Extreme access control in line with stringent change management processes.|
|Access to information locked down and governed by CISO.|
|DEFCON2||Secured in line with regulatory compliance requirements.|
|Centralized, protected audit log including superuser and data-related activities.|
|Data encrypted in motion and at rest.|
|DEFCON3||Default state for all Cintra / STI managed services customers.|
|Infrastructure, OS, DB and Apps hardening.|
|Auditing of superuser activities enabled.|
This ensures that the appropriate level of security is implemented, in the most cost-effective way.
Architecting for Security:
In line with our tiered security model, over the years we have developed a secure reference architecture, including a layered set of security controls and segmentation to protect our most valuable asset. Again, this reference architecture isn’t a “one size fits all” model, but instead represents a set of tools such as segmented networks, intelligent web application firewalls, network intrusion protection and access control measures that can be applied to various situations.
Security Controls: People
Our reviews focus heavily on organizational structure, ensuring that we have the correct resources in place, that they have sufficient bandwidth and training to carry out their security duties, and are held accountable for doing so. Most importantly of all, the performance of these individuals must be consistently measured to ensure that the security team remains current and effective.
Security Controls: Process
An over-arching requirement that applies to all technical areas is that we must have adequate processes in place to manage the security of those areas. These include, but are not limited to, change control, configuration management, vulnerability management, configuration hardening and security monitoring.
Technology Security: Network
Proper network design is critical to the security of an IT organization, ideally including a degree of segmentation to ensure that traffic is routed to private VLANs, protected by dedicated firewalls. At the very least, our sensitive data areas must be kept separate from public- or internet-facing assets, such as DMZs.
Fortunately, as the severity of data breaches has increased, so has the sophistication of security technology, and we now also have additional tools available to monitor network behavior, prevent data loss via network attacks and to ensure that only those individuals who should have access to our network, do.
Technology Security: Operating System
In addition to traditional Operating System hardening, anti-virus, auditing and encryption, we now give consideration to file integrity monitoring, privilege escalation management and application whitelisting. Again, this ensures that only genuine users and protocols access our servers and, if any critical files or privileges are compromised, then we are aware and can take preventative action automatically and immediately.
Technology Security: Relational Databases
Many database breaches are caused by misuse of or excessive allocation of privileges, so it is critical that users are only given access to what they need, when they need it, and that methodology should apply not only to data but also binaries, configuration files and even log files. When that foundation of security is in place, we should add a sensible password management policy, preferably using SSL certificates in place of passwords where possible, and enable auditing of user activity to a reasonable level of granularity.
Above and beyond that, there’s a lot we can do to protect our data. From encryption of data at rest and in motion, to intelligent firewalls that guard against SQL injection attacks, to completely vaulting our data to ensure that access to sensitive data and superuser functions is only granted under strict change control.
Technology Security: Applications and the Middle Tier
Database security is largely negated, if the data we’re protecting is at risk within the application or middle tier. Therefore, it is critical that all of the best practices we build into the database tier (encryption, auditing, application of security patches, etc) are also reflected on the middle tier.
We should also consider the way in which our applications are segregated, for example splitting sensitive applications into their own secure Java domains and keeping them away from less sensitive applications to avoid any potential for lateral movement in the event of a breach.
In addition, due to the diversity of devices now accessing application platforms, mobile endpoint security is essential to ensure that access points are locked down and accessed appropriately.
Summary: Navigating the Security Minefield
If the above examples are enough to make your head spin, you’re not alone. That’s where Cintra come in, advising our customers on how to obtain a solid security foundation providing your business with the assurance that your data is protected, and remains so. Reach out to us today to find out more.
Written by: Simon Rice, VP Enterprise Services, Cintra NY – May 2017