The Veiled Bride of the Data Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://lpportal.com/editorial/columns/item/3159-the-veiled-bride-of-the-data-breach.html

How many of us know that couple where one partner just seems to spark so
much in the relationship?

The person is fun, charming, and likable; and has a certain quality that
draws others in. They make friends easily. They can lead a conversation, or
listen with real or assumed interest even when the subject is so dry and
boring that it would drive most of us insane. We find them interesting and
attractive in different ways and at different levels. We quickly trust them
and believe their sincerity. The other partner may appear cordial and
friendly, more reserved or withdrawn, or even more negative or hostile; but
this one person brings us together and makes us want to establish a
friendship.

When it comes to data security issues, the data breach has that partner–the
one that draws us in and seeks out our trust and friendship. In many ways
this intimate colleague is critical to the success of both the marriage and
the extended relationships; attracting new and unsuspecting individuals on
a daily basis. In this partnership, the veiled bride is social media.

The Power of Social Media

Social media is an ever-evolving collection of online tools, platforms and
applications that enable all of us to interact with one another and share
information. By using web-based and mobile technologies to turn
communication into interactive dialogue it creates an effective channel for
individuals and groups of people to connect, interact, create and share.

With businesses constantly positioning to make news, build their brands,
improve communications and grow their customer base, companies are using
email blasts and a plethora of platforms to include Facebook, Twitter,
LinkedIn and YouTube to market their products and services. These powerful
communication tools can have significant influence on awareness, acceptance
and behavior. They play an important role in many marketing strategies, and
are also a common vehicle used by many of our employees to network and
communication with one another. Unfortunately, these same resources are
opening doors to many of our data security issues.

Finding the Opening

“When cyber-criminals are looking for ways to breach our systems, the
starting point to penetrate our information typically has nothing to do
with the use of credit cards, even when that’s the information that they’re
attempting to obtain,” says James Foster, founder and CEO of ZeroFOX. “But
they have to get in somewhere. So what is the best way in? Attackers will
look for the weakest link and a way in that exploits or manipulates the
system at a point of vulnerability. They’ll often use tools that have mass
adoption–even if it fails a thousand times, the one time it does work gets
them in. They are looking for a more covert way to get into the system–one
where they can feed on the user’s trust and delay detection. When you put
it together, the easiest venue to leverage is social media.”

In our push to get ahead in the highly competitive world of business,
Foster commented that information technologies must reap immediate
benefits. As a result, the technology can be significantly ahead of the
controls. “Security measures can lag behind three to five years,“ he added.
“A company’s number one asset is its people. This is a common thread, and a
prime opportunity for access. Ninety percent or more of the malware is
getting in through social media”

Foster went on to describe a simple scenario as an example. If a hacker
wants to break into XYZ Company, they may create an online persona that
mirrors the brand’s logo, verbiage, and marketing style. They build the
false content using one of many social media platforms, along with a link
that says “XYZ Company Rocks.” If an employee were to open the link, it can
then open the door for the hacker to breach the company. While it may sound
like a simple strategy, hackers have become experts at disguising their
intensions–and it may only take one unsuspecting employee to be successful.
Regrettably, this is only a single, basic example of a problem with
prospects only limited by the imagination and ingenuity of the hacker. This
is the challenge, and only one of many issues that we can face.

Defense in Depth

So how do we combat these problems?

“Unfortunately, existing plans are ninety percent reactive, which is like
patching cracks in a dam with bubble gum.” he says. “There has to be a
plan, a Defense-in-Depth strategy that proactively addresses data
security.” In the information world, it’s about firewalls,
intrusion-detection systems, two-factor authentication, and encryption.
These defenses are layered to make them more resilient. But there has to be
more. Our defenses must include a plan and a partnership that effectively
creates a unified team to combat these threats. This involves a
comprehensive approach that would include:

-  A knowledgeable and educated team that communicates well and works
together

-  A diverse team that can provide different perspectives and offer
comprehensive value

-  Expert external opinions that provide guidance and will objectively
review the plan

-  An adequate budget

-  Privacy and compliance policies

-  A framework and foundation for governance

“As retailers expand their offerings and push online services, internal and
external policies, roles and synergies must be re-evaluated, and a
collaborative security strategy that includes loss prevention absolutely
must be part of the conversation,” Foster states. “The success of the
organization simply depends on it.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!