Cyber-Attacks in the News and Data Regulatory Compliance

by David Schlesinger CISSP

You probably have heard of the “Stuxnet” worm or the “Flame” code that was presumably aimed at machines processing radioactive substances.  (If you haven’t heard of either, you are working far too hard and need to look around at what is happening in the IT world.)  These are specially crafted pieces of code designed to perform specific cyber-attacks, such as accelerating a nuclear centrifuge way past its breaking point while reporting all was well on the management screens. You may wonder what this has to do with Data Regulatory Compliance.

Consider the tactical situation; a program of malicious code (malware) was somehow injected into a closed foreign military system that had no physical connection to the worldwide Internet.  Further, despite a high level of internal security, it was not discovered for years.  In fact, it was not identified until it escaped from the “secure” facility (on somebody’s unauthorized laptop no doubt) and started flying around the world on the Internet.

So the question arises, since your company is always connected to the Internet, and your employees use their laptops outside of your network for personal email and surfing the net; how in the world could you believe that your company network could not be successfully compromised in the future?

Criminals are after your data, not your hardware. (Well some criminals steal hardware, but these are different criminals with smaller budgets.)   Make no mistake; organized crime is knocking at all our doors all the time. Criminal hackers want to download whole databases and sort it later in their own sweet time.  They get your data and your company takes the heat.  This is bad.

You need a way to protect your most valuable, sensitive, and risky data within the corporate network even if the network is compromised. A reasonable first step is to understand the sensitivity and risks of the data you manage.

Identify which data are affected by regulations and contractual obligations (HIPAA, SOX, PCI,  EU FISMA, EU DPD 95/46, PPI, etc.), and data comprising your “trade secrets” you would not wish to be public. You can’t protect what you cannot identify.  Some data will be more sensitive than others, and some data loss will be more costly than others. You first need to know which data is sensitive, and next you will need to know one more thing.

You need to know where in your company this data resides; which servers and which databases and which laptops.  Odds are you will find sensitive data mixed through all the less sensitive information.  Thus, you should make strategic changes in these databases so that you can isolate and protect high-risk data.  Lock the gold in the vault, not the pencils.

For example, you might want to put the most sensitive data in separate tables with different access rules, or encrypt them, or place them elsewhere in your network behind an internal firewall.  This might slow down a query, but when the database is compromised the hacker will not be able to access your most sensitive data.   Effort and latency must be measured against the cost to the enterprise if the data is stolen and published on the Internet.

This is not hugely difficult technically, but is difficult politically. You see, people in your company have been rewarded for years with raises and perks for making things happen faster and will resist additional system complexity and latency. You are paying them to resist it.

To make compartmentalized data protection a success your employees need to feel secure that they will not be penalized by the extra work to secure sensitive data.  This is a management challenge opportunity.  If you develop teamwork for this program, you now have a high-performing team to tackle your next big technological challenge.  Got any of those?

Only with a good risk analysis can you determine the level of proper protection to use for Regulated Information within your data architecture.  Don’t make it easy for criminal hackers: provide protection in depth. They will get in.

Related Posts Plugin for WordPress, Blogger...

David Schlesinger

David Schlesinger has 25 years of experience in information technology and data security management. His book, The Hidden Corporation, is a “business novel” that describes data protection issues in a large corporation and follows a dedicated employee as she uncovers the root causes of improper data exposure and discovers solutions. David is CISSP certified in cybersecurity and is on the Board of Directors of the Phoenix ISSA, a security professional association. He has authored two US Patents for data governance methods that use Metadata classifications to audit and automate user rights and regulatory compliance, and speaks widely at data management and security conferences. David is a Senior Security Architect and currently consults with commercial and government organizations on information protection involving enhanced Metadata, self-aware data architecture, data classification practices, and information regulatory compliance. 

  1 comment for “Cyber-Attacks in the News and Data Regulatory Compliance

  1. August 18, 2012 at 10:48 am

    Heya i am for the first time here. I found this board and I to find It really helpful & it helped me out a lot. I am hoping to present something again and help others such as you helped me.

Leave a Reply

Your email address will not be published. Required fields are marked *