In this article we discuss four of the most common misconceptions about data security.
#1 "Desktop is more secure than web applications."
Desktop programs run locally on a PC whereas web applications run in a web browser via the internet. Most people believe data stored through a desktop program is more secure than browser based applications because the perceived control over data. Not all desktop programs store data within the local network. Some desktop programs access, send and store data on remote servers which is the same data storage method as web applications.
Where a system is accessible outside the internal network, whether through VPN or via internet, the same security threats apply, and therefore the same precautions should be taken to ensure data storage is secure.
#2 "I have a firewall, so I’m protected."
Firewalls help screen out hackers, viruses and worms from attacking your network or computer. More specifically, it is a network security system designed to prevent unauthorised access to a private network. They can be hardware or software based, and they monitor and control incoming and outgoing traffic based on predefined security rules.
"A firewall alone is insufficient to protect a network from intrusion."
A firewall alone is insufficient to protect a network from intrusion. There are many other vulnerabilities that some firewalls are not designed to address, and the majority of data security breaches are due to firewall misconfiguration. In addition to defining firewall configuration and rules, implementing complementary solutions such as intrusion protection, vulnerability scanning, virus and malicious code scanning, VPN and internal firewalls will significantly improve data protection. Here are examples of a few attacks that can occur through a firewall:
Phishing
Phishing attacks are when a virus is sent by email through a firewall that persuades a recipient to reveal their password. There should be controls within your firewall settings to help mitigate the risk of phishing attacks.
Session hijacking
Session hijacking is another term for man in the middle attacks where existing communication sessions are taken over. Ensuring your application encrypts communication is the best way to mitigate this type of attack.
Sneakernet
Sneakernet is a term used to describe they physical transfer of electronic data by moving media such as a USB stick. These attacks can occur by disgruntled insiders or poorly-trained device users. Device scanning software is the best mitigating option for this type of attack.
#3 "My data is not safe in the cloud."
What does it mean when data is stored in the cloud? Cloud storage is a model where the physical storage of data is on servers or spans across multiple servers, often in multiple locations and managed by a hosting company. Cloud storage makes data available to users on a network (typically over the internet) and cloud storage services can include the maintenance, management and back up of data.
When selecting a cloud storage provider, ensure they provide and employ a level of security controls appropriate for your data storage type. Here are a few areas to research regarding security implemented with your cloud storage provider:
Physical Security
How is physical access to hardware controlled? How do they prevent unauthorised access and how is this monitored, detected and corrected?
Privacy
Does the storage provider encrypt your data? How do they control soft access? Do they implement an identity management system to control access?
Firewall and anti-virus
How do they implement and control changes to their firewall configuration? Do they have anti-virus to prevent, detect and remove malware? What controls do they have in place to prevent internal attacks or to detect intrusions?
Disaster Recovery
What processes are in place for disaster recovery? What are the SLAs for restoring services? What is their total downtime in the past year? Do they have a history of executing their disaster recovery plan? What processes do they have in place to ensure data is not lost and data integrity is maintained?
#4 "The application is password protected, so my data is safe."
Many people believe that if they enter a username and password to access an application, that their data is safe. In May 2016, approximately 273 million account credentials from Gmail, Hotmail and Yahoo were stolen. Passwords alone are only one level of security, and how the passwords are transmitted, stored and managed can impact the effectivity of password protection.
"An application should provide a way to enforce a set of password rules. This will include password strength, history count, and force password change frequency."
Password transmission
When a user enters their login credentials, their username and password is transmitted to a server for verification. Passwords are vulnerable to interception during transmission, and therefore the best method an application should use is to hash the password and transmit via SSL.
Password storage
A cryptographic hash function should be used by the application to store passwords. A well designed hash function is computationally infeasible to reverse the function to recover a plaintext password.
Password management
An application should provide a way to enforce a set of password rules. This will include password strength, history count, and force password change frequency. For further password management, an application may provide details such as a login log so that you can view successful and unsuccessful login attempts to monitor access.
You May Also Be Interested In...
-
The 2017 Data Integrity Regulatory Deadline
-
When the Regulators Arrive, How Compliant is your Excel spreadsheet?
-
Our Founder, Dr. Paul Moran, Leading the Way in Data Integrity