Beyond Compliance: Ensuring Data Security in a Web 2.0 World

One of the last things you would want to discover when sitting behind your work terminal is that hackers have infiltrated your company’s computer network and stolen sensitive information from the data networks.

A rash of recent high-profile attacks against the database has left executives and IT personnel questioning what else can be done. Haven’t they already put security measures into effect?

Unfortunately, while you may have installed the most advanced software available, new threats are surfacing every day and increasingly sophisticated hackers are finding ways to circumvent these precautions.

The only way for companies to stay out of the headlines as victims to these incidents is to bolster security practices and establish and maintain a proactive, effective security posture.

Meeting compliance standards

It’s critical to first ensure that your company is meeting compliance standards. Data breaches typically occur through the exploitation of known database vulnerabilities.

These attacks are successful because of weak database level security, ineffective security patch management, inadequate security scanning, SQL injection attacks or a lack of auditing or security monitoring.

Compliance standards provide a framework to mitigate these security vulnerabilities and protect your database.

While meeting compliance regulations is important, it’s just not enough to effectively secure a corporation. Plenty of breaches have occurred at companies that were deemed compliant.

True database security and risk mitigation requires organizations to proactively assess and adapt for new vulnerabilities and threats, including those that have surfaced since the last audit.

Moving beyond compliance

Protecting confidential internal documents and vital customer information where it resides in the database is critical. Some actions to take include not using vendor-supplied defaults for system passwords and other security parameters, restricting access to data by business need-to-know, and assigning unique IDs to each person with computer access.

It’s important to also track and monitor all access to network resources and cardholder data, as well as regularly test security systems and processes. Additionally, companies need to be prepared to safeguard against emerging threats in the form of more advanced hacking methods.

Emerging threats

Clickjacking, XSS (cross site scripting) and CSRF (cross site request forgery) are up-and-coming methods for hijacking user input to launch malware or take control of users pointing at certain Web sites.

It can launch a slew of unfortunate mishaps for users after code is inserted, usually using iFrames to create multiple UI layers, masking input elements with, for example, a band page.

Sites that are susceptible to these methods include social networking sites because the average user interacts heavily with those pages without thinking much about security.

The real danger here is not taking the threat of these types of hackers seriously and neglecting to safeguard against them. It’s vital now more than ever to institute policies on the usage of social networking sites as their popularity continues to grow.

The attackers aren’t interested in your favorite movies or pictures from the three-day weekend. Rather, they’re on there to get at the core of your company’s network. And if social sites present an opportunity, you can count on them to take it.

Once they have created a path into your critical infrastructure, these hackers will surely get what they’ve come for by using their tried and true methods.

Attackers will overlay and take advantage of known vulnerabilities on enterprise applications like CRM deployments, enterprise webmail application and of course, the databases supporting these systems.

It should be highlighted that browser-backed applications are most vulnerable to these types of attacks, acting like a backdoor into your systems without having direct access.

Other methods like XSS help attackers use one site to jump to another site and take information from each one along the way. This fits in nicely with how social networks are designed, as users go between different profiles and forums.

The takeaway

Organizational security policies must be well-developed and thorough. If an attacker can break in through some sort of web-based method like clickjacking, IT needs to know who in the company has what rights on the database and other critical web applications.

If you know which sets of data others have access to and how they received those privileges, whether it’s IP or Social Security numbers, it will be easier to flag a breach and take action. By being proactive, you have a much better shot at keeping your company’s sensitive information secure.