Blog

RESOURCES / BLOG

Four Common Misconceptions about Data Security

February 28, 2017 / by Theresa Webster

broughton-software-data-security2.jpg

In this article we discuss four of the most common misconceptions about data security.

#1 "Desktop is more secure than web applications."

Desktop programs run locally on a PC whereas web applications run in a web browser via the internet.  Most people believe data stored through a desktop program is more secure than browser based applications because the perceived control over data. Not all desktop programs store data within the local network.  Some desktop programs access, send and store data on remote servers which is the same data storage method as web applications.

Where a system is accessible outside the internal network, whether through VPN or via internet, the same security threats apply, and therefore the same precautions should be taken to ensure data storage is secure.

#2 "I have a firewall, so I’m protected."

Firewalls help screen out hackers, viruses and worms from attacking your network or computer.  More specifically, it is a network security system designed to prevent unauthorised access to a private network.  They can be hardware or software based, and they monitor and control incoming and outgoing traffic based on predefined security rules.

"A firewall alone is insufficient to protect a network from intrusion."

A firewall alone is insufficient to protect a network from intrusion.  There are many other vulnerabilities that some firewalls are not designed to address, and the majority of data security breaches are due to firewall misconfiguration.  In addition to defining firewall configuration and rules, implementing complementary solutions such as intrusion protection, vulnerability scanning, virus and malicious code scanning, VPN and internal firewalls will significantly improve data protection.  Here are examples of a few attacks that can occur through a firewall:

Phishing

Phishing attacks are when a virus is sent by email through a firewall that persuades a recipient to reveal their password. There should be controls within your firewall settings to help mitigate the risk of phishing attacks.

Session hijacking

Session hijacking is another term for man in the middle attacks where existing communication sessions are taken over. Ensuring your application encrypts communication is the best way to mitigate this type of attack.

Sneakernet

Sneakernet is a term used to describe they physical transfer of electronic data by moving media such as a USB stick.  These attacks can occur by disgruntled insiders or poorly-trained device users. Device scanning software is the best mitigating option for this type of attack.


creating a culture of quality for data integrity in a business

 

#3 "My data is not safe in the cloud."

What does it mean when data is stored in the cloud?  Cloud storage is a model where the physical storage of data is on servers or spans across multiple servers, often in multiple locations and managed by a hosting company. Cloud storage makes data available to users on a network (typically over the internet) and cloud storage services can include the maintenance, management and back up of data.

When selecting a cloud storage provider, ensure they provide and employ a level of security controls appropriate for your data storage type. Here are a few areas to research regarding security implemented with your cloud storage provider:

Physical Security

How is physical access to hardware controlled? How do they prevent unauthorised access and how is this monitored, detected and corrected?

Privacy

Does the storage provider encrypt your data? How do they control soft access? Do they implement an identity management system to control access?

Firewall and anti-virus

How do they implement and control changes to their firewall configuration? Do they have anti-virus to prevent, detect and remove malware? What controls do they have in place to prevent internal attacks or to detect intrusions?

Disaster Recovery

What processes are in place for disaster recovery? What are the SLAs for restoring services? What is their total downtime in the past year? Do they have a history of executing their disaster recovery plan? What processes do they have in place to ensure data is not lost and data integrity is maintained? 

#4 "The application is password protected, so my data is safe."

Many people believe that if they enter a username and password to access an application, that their data is safe. In May 2016, approximately 273 million account credentials from Gmail, Hotmail and Yahoo were stolen. Passwords alone are only one level of security, and how the passwords are transmitted, stored and managed can impact the effectivity of password protection.

"An application should provide a way to enforce a set of password rules.  This will include password strength, history count, and force password change frequency."

Password transmission

When a user enters their login credentials, their username and password is transmitted to a server for verification. Passwords are vulnerable to interception during transmission, and therefore the best method an application should use is to hash the password and transmit via SSL.

Password storage

A cryptographic hash function should be used by the application to store passwords. A well designed hash function is computationally infeasible to reverse the function to recover a plaintext password.

Password management

An application should provide a way to enforce a set of password rules.  This will include password strength, history count, and force password change frequency.  For further password management, an application may provide details such as a login log so that you can view successful and unsuccessful login attempts to monitor access.

data integrity - 2017 deadline

 

You May Also Be Interested In...

 

Topics: Data Management, Data Integrity, data governance, Data Security, Cyber Security

Theresa Webster

Written by Theresa Webster

Theresa Webster is the co-founder of Broughton Software and serves as their Director of Product Management. After studying at the University of North Carolina at Charlotte receiving a BSc in Biology and a BA in Chemistry, Theresa began her career at Broughton Laboratories, a leading UK MHRA and US FDA GMP licensed contract laboratory. In her role as a Commercial Projects Manager, she developed business start-ups from idea to fully operational divisions, in particular, the stability storage facility and software services. Theresa led the software services division to become a stand-alone business in 2012 as Broughton Software providing the industry's leading LIMS solution for Quality Control Laboratories. In her personal time, Theresa enjoys travel and fitness.