One of the big issues in IT security these days is protecting the privacy of both clients and personnel, what are some things that can be done to ensure that this information stays safe?
The ordinary safeguards we talk about consist of encryption, data repositories, physical access security, physical security of backup tapes and backup media. The chain of custody is a lot of times where you will see the source of a breach. People lose tapes, tapes get stolen, backup media or remote device are lost. The proliferation of remote devices that are now external to the organization's control, like laptops, smart phones or whatever they happen to be employing makes it difficult to control. Again, you have to go back to this access authority, establishing who has access to the data, controlling access to the data and constantly managing that access security process. It's important to not treat regular access and high-privileged access as the same animal. A lot of times you will see a single security policy applied in an organization to both general user population as well as your high-privilege administrators. The high-privilege administrators need to be treated separately, you have to have an additional layer of control over the access that's granted, when it's granted and how that's tracked within the organization. So outside of the standard we locked the door on our data center and we locked the case on the tapes, it all comes back to that access control.
What kind of regulatory concerns do people need to be aware of when it comes to securing sensitive data?
There's a laundry list of potential penalties that could be employed, but I think the biggest thing for organizations to make themselves aware of is what applies to them and to their market. A lot of organizations might not even be aware of some of the regulatory oversight that their company should be subject to. But when we talk about penalties, what's a greater penalty than going out of business? A high-profile, high-value breach that is widely publicized is a credibility damaging event. In some cases when we look at Societe Generale or TJ Maxx, there is a significant and immediate business impact from these breaches. From our perspective, that is the one thing you really want to be aware of. It's far more of a penalty than whatever regulatory fines your organization must pay. It's far more (impactful) than the onus of any state disclosure or breach notification rules or obligations your organization might have. The value of those penalties is far out-shadowed by the damage to an organization.
Many attacks go unnoticed for long periods of time as with the Kneber Botnet. Is there anything that companies can do to perhaps catch these intrusions quicker?
Complacency has to be removed from the equation. Organizations can't ever assume they have all their bases covered because hackers are very adaptive and very skilled. A lot times these organizations or groups of people have as good or better resources and systems and technology to work with as the majority of organizations that they're targeting. It is very important for companies to realize that you don't have to be certain size or a certain name brand or a certain revenue level to be the target of a hacker. A hacker is looking for any asset they can get a hold of, whether it's the couple of computers in your home office or in a government agency. Everyone is a potential victim. Companies have to understand that everyone is a potential victim and understand that the days of saying "it can't happen to us" have long past. Security is an ongoing process. You have to commit to the ongoing process and not treat things as individual events or things to react to. My opinion is that getting past the complacency and getting past the reactionary mindset is the most important thing.
What are some of the steps that companies need to take when they discover that they've fell victim to a hacker?