Cybersecurity: we protect subscriber data from leaks in 2019
Sooner or later, all global trends are becoming the target of scam attacks or a source of new risks. So global business digitalization has become a double-edged sword. The increase in victim data and, at the same time, easier access to it led to a series of information leaks and hacker attacks.
Statistics is a stubborn thing. And according to analytics over the past five years, 65% of cases of information leakage in companies were due to insiders. More than 95% of the records were compromised through negligence - from ignorance of the rules for handling data or due to a malfunction in the system. The percentage of personal data leakage from the total number of incidents for all five years did not fall below 60%.
The leaders in leaks are B2C companies with a large customer base: retail banks, MFIs and telecom operators. More than half a billion accounts have suffered from the biggest leaks in the last couple of years - let me remind you of some of them, so as not to be unfounded.
Therefore, it is not surprising that the latest Allianz risk Barometer 2019 report considers cyber security violation as the second global risk in entrepreneurial activity. Most of the attacks are aimed at the weaknesses of the most used applications: browsers, office software, Adobe programs. As the head of a company developing systems for telecom operators, I want to dwell on the topic of software security and talk about preventing leaks due to the negligence of employees who compromised their devices or authorization.
Current BYOD-type working conditions or the use of clouds does not simplify the task of cybersecurity in enterprises. The BYOD concept in parallel with saving the budget, increasing the efficiency of employees and their loyalty increases the risk of leakage or theft of information from personal devices. We have to look for a balance, since employees become walking targets for hackers, and “loners”, as you know, are easier to attack. And employees often don’t bother about maintaining data security on personal devices.
The risks of data loss along with the gadget, the infection of computers through the work network, the use by employees of unlicensed software and broken OCs, and attacks of the Man-in-the-Middle class come to the fore. Usually problems are solved using VDI with multi-factor authentication and basic device monitoring, but I advise you not to neglect detailed instructions on data protection.
90% of corporate data leaks from the clouds are also triggered by the human factor. Social engineering is not to blame, not cloud providers at all. Psychological bait is becoming sophisticated and thoughtful, so in the case of work in the "clouds" should be given special attention.
The first thing you should take care to prevent leaks is to prevent compromising access when authenticating employees at the network stack level. All tools for these purposes are essentially tied to 2F authentication.
One of the most attractive options seems to be biometrics, which Russian banks are already starting to implement. But if we are not talking about a personal smartphone with one owner, it is better not to use biometric technologies as the only access protection. To ensure security, biometric information is confirmed by a smart card, token or password. Actually, such rules are dictated by CentroBank with international standards ISO / IEC 29003, FIPS Pub 201-2.
Mentioned tokens, by the way, are best suited to protect authentication in the event of the impossibility of introducing biometric systems. The generation of one-time passwords in hardware tokens is more reliable than a software counterpart or SMS. The hacker and antivirus cannot intercept the GSM signal, and the banal discharge of the phone will no longer be a problem. Well, the TOP ones are flashable contactless hardware tokens, which, by the way, will also save the budget.
I cannot but share the experience of my Forward Telecom company. We work with operators whose systems process gigantic arrays of personal data of subscribers, the leak of which companies simply cannot afford. Therefore, when developing programs for telecom operators, whether it be billing, PRM or CRM, we pay a lot of attention to tools to prevent information leaks due to insiders and quickly correct the situation if access is compromised. And here are our favorites, proven over the years.
1. Logging.
Operator employee user activity logs and a detailed log track potential and real threats of internal leakage. Interception of careless or intentional operations allows the program to instantly block the launch and installation of applications, typed text and work with dangerous files. As a bonus, logging on a daily basis can be used as control over employee time.
2. Distribution of rights.
Many neglect the setting of rights and restricting access to confidential and important information, and then pay for it with data migration in the wrong hands. Only a limited circle of responsible persons should view and edit files that can freely harm a company in the public domain - for me this is an axiom.
3. Multilevel backup.
More, more backups. This is the case when "too" does not happen. SSD as an optimized read / write cache extends backup history. I think everyone will agree that the old version of the data is better than losing it without the possibility of recovery.
4. Sandboxes.
We are for development and experiments - both ours and clients. It is necessary and possible to experiment, but it is better to be careful, and even better - in sandboxes. And I am generally silent about opening suspicious and unverified files. The sandbox in the software is a panacea for the "raw" code and viruses, as a result - a panacea for leaks.
5. File verification.
Validation of documents for authenticity, especially after backup, helps to avoid virus file spoofing and guarantees their technical cleanliness.
6. Access to the system through secure channels.
In the heyday of the practice of remote work, much attention needs to be paid to protecting the channels used by employees to work from home.
7. Checking the hardware and software casts of the devices from which the input is made.
The program creates a cast of the device system with information about the ID of the motherboard and the serial number of the hard drive. The C2V file is stored in the licensing center and compares it with the current one during authentication. If there is a mismatch, the key is locked.
8. Alerting system when the device is compromised.
If access was nevertheless compromised, it is better to find out about it at the same second. The alert system notifies those responsible to take measures to prevent leakage of information and personal data.
When developing software, in terms of security, my colleagues and I are guided by one principle: "It is better to overtake than not to overtake." Given the global and Russian statistics, spending up to 30% of the time on creating and testing multilevel protection tools is justified.
Share which mechanisms in your practice provided the best protection against information leaks and compromised access.
Statistics is a stubborn thing. And according to analytics over the past five years, 65% of cases of information leakage in companies were due to insiders. More than 95% of the records were compromised through negligence - from ignorance of the rules for handling data or due to a malfunction in the system. The percentage of personal data leakage from the total number of incidents for all five years did not fall below 60%.
The leaders in leaks are B2C companies with a large customer base: retail banks, MFIs and telecom operators. More than half a billion accounts have suffered from the biggest leaks in the last couple of years - let me remind you of some of them, so as not to be unfounded.
- In March 2017, hackers put up for sale data from 25 million Gmail accounts and 5 million Yahoo accounts.
- In November 2018, hackers obtained personal information about 120 million Facebook users, and some of the information was generally freely available.
- The most resonant case in December 2018: the closure of the social network Google+ after the leak of personal data of 52.5 million account owners.
- Secret information was stolen in April 2018 even from NASA, which hid the incident until recently.
- In April, for the first time, data from the Central Bank leaked to general access, namely the “black list” of customers who are denied service.
- Another domestic puncture: in May 2019, public files of the State Services portal were discovered in the public domain. For example, a list of responsible persons with personal data, including the head of the FSB interdepartmental cooperation unit.
Therefore, it is not surprising that the latest Allianz risk Barometer 2019 report considers cyber security violation as the second global risk in entrepreneurial activity. Most of the attacks are aimed at the weaknesses of the most used applications: browsers, office software, Adobe programs. As the head of a company developing systems for telecom operators, I want to dwell on the topic of software security and talk about preventing leaks due to the negligence of employees who compromised their devices or authorization.
BYOD and clouds
Current BYOD-type working conditions or the use of clouds does not simplify the task of cybersecurity in enterprises. The BYOD concept in parallel with saving the budget, increasing the efficiency of employees and their loyalty increases the risk of leakage or theft of information from personal devices. We have to look for a balance, since employees become walking targets for hackers, and “loners”, as you know, are easier to attack. And employees often don’t bother about maintaining data security on personal devices.
The risks of data loss along with the gadget, the infection of computers through the work network, the use by employees of unlicensed software and broken OCs, and attacks of the Man-in-the-Middle class come to the fore. Usually problems are solved using VDI with multi-factor authentication and basic device monitoring, but I advise you not to neglect detailed instructions on data protection.
90% of corporate data leaks from the clouds are also triggered by the human factor. Social engineering is not to blame, not cloud providers at all. Psychological bait is becoming sophisticated and thoughtful, so in the case of work in the "clouds" should be given special attention.
Sim sim open
The first thing you should take care to prevent leaks is to prevent compromising access when authenticating employees at the network stack level. All tools for these purposes are essentially tied to 2F authentication.
One of the most attractive options seems to be biometrics, which Russian banks are already starting to implement. But if we are not talking about a personal smartphone with one owner, it is better not to use biometric technologies as the only access protection. To ensure security, biometric information is confirmed by a smart card, token or password. Actually, such rules are dictated by CentroBank with international standards ISO / IEC 29003, FIPS Pub 201-2.
Mentioned tokens, by the way, are best suited to protect authentication in the event of the impossibility of introducing biometric systems. The generation of one-time passwords in hardware tokens is more reliable than a software counterpart or SMS. The hacker and antivirus cannot intercept the GSM signal, and the banal discharge of the phone will no longer be a problem. Well, the TOP ones are flashable contactless hardware tokens, which, by the way, will also save the budget.
He who is warned is armed
I cannot but share the experience of my Forward Telecom company. We work with operators whose systems process gigantic arrays of personal data of subscribers, the leak of which companies simply cannot afford. Therefore, when developing programs for telecom operators, whether it be billing, PRM or CRM, we pay a lot of attention to tools to prevent information leaks due to insiders and quickly correct the situation if access is compromised. And here are our favorites, proven over the years.
1. Logging.
Operator employee user activity logs and a detailed log track potential and real threats of internal leakage. Interception of careless or intentional operations allows the program to instantly block the launch and installation of applications, typed text and work with dangerous files. As a bonus, logging on a daily basis can be used as control over employee time.
2. Distribution of rights.
Many neglect the setting of rights and restricting access to confidential and important information, and then pay for it with data migration in the wrong hands. Only a limited circle of responsible persons should view and edit files that can freely harm a company in the public domain - for me this is an axiom.
3. Multilevel backup.
More, more backups. This is the case when "too" does not happen. SSD as an optimized read / write cache extends backup history. I think everyone will agree that the old version of the data is better than losing it without the possibility of recovery.
4. Sandboxes.
We are for development and experiments - both ours and clients. It is necessary and possible to experiment, but it is better to be careful, and even better - in sandboxes. And I am generally silent about opening suspicious and unverified files. The sandbox in the software is a panacea for the "raw" code and viruses, as a result - a panacea for leaks.
5. File verification.
Validation of documents for authenticity, especially after backup, helps to avoid virus file spoofing and guarantees their technical cleanliness.
6. Access to the system through secure channels.
In the heyday of the practice of remote work, much attention needs to be paid to protecting the channels used by employees to work from home.
7. Checking the hardware and software casts of the devices from which the input is made.
The program creates a cast of the device system with information about the ID of the motherboard and the serial number of the hard drive. The C2V file is stored in the licensing center and compares it with the current one during authentication. If there is a mismatch, the key is locked.
8. Alerting system when the device is compromised.
If access was nevertheless compromised, it is better to find out about it at the same second. The alert system notifies those responsible to take measures to prevent leakage of information and personal data.
When developing software, in terms of security, my colleagues and I are guided by one principle: "It is better to overtake than not to overtake." Given the global and Russian statistics, spending up to 30% of the time on creating and testing multilevel protection tools is justified.
Share which mechanisms in your practice provided the best protection against information leaks and compromised access.
All Articles