Top Ten Ways to Prevent Data Breaches

Thursday, October 11, 2012

Paul Kenyon


Let’s face it, computer networks are complicated and keeping them secure depends on a multitude of factors. At the core of this, however, are administrative rights that make it possible to fundamentally alter the configuration of a desktop, its installations and applications. In fact, when you’re dealing with admin rights, a slight error can result in a malicious attack on the company’s server, potentially compromising the entire network. 

And frankly, users with admin rights are loose cannons -- you just don’t know when or where they are going to strike, and the results can be devastating to the company’s security infrastructure. Once a problem occurs, it often unravels into a downward spiral taking your business - and reputation - down with it.

But there are some steps that can be taken to mitigate your organization’s risk that mostly revolves around taking a “least privilege” approach, meaning end-users can perform their jobs with ease but without threatening the organization’s security. Here are 10 steps towards making “least privilege” a reality.

Step 1: Regularly Evaluate Risk

IT specializes in certain areas that standard users ignore, such as files within the Windows folder and protected parts of the registry. If these are altered without IT knowing– either accidentally or maliciously- it can make the system unstable and increases the risk of data leakage. Simply, if IT doesn’t know what applications and changes users have made or installed, then it can’t be sure that sensitive data isn’t being redirected into the hands of an unknown third party. Regular evaluation of security risks, combine with application whitelisting, are essential in providing that extra layer of defense.

Step 2: Encourage Users to Have Fewer Devices

The proliferation of personal devices into the workplace has increased complexity and costs for an enterprise. Considering how rapidly the Bring Your Own Device (BYOD) trend is taking hold, it’s impractical to eliminate personal devices in the workplace altogether. Indeed, a recent Cisco survey of 600 international IT leaders in 18 industries revealed 78% of employees use mobile devices for work. Enterprises must thus create a balance between the use of personal and mobile devices and corporate desktops. If an employee justifies the use of a device, the onus is on the enterprise to establish its compliance with company policy, with a clear strategy to determine who is responsible for support.

Step 3: Move to a Managed Environment

Lock down machines so that users can only change their desktop configurations -- not the core system. This can save enterprises time and money, as it reduces support costs and mitigates lost productivity from network downtime.

Enterprises must also consider how to transition to a managed environment, while still aligning with business objectives. Leveraging Microsoft Group Policy and Microsoft System Center are just two examples of useful ways that will enable the effective deployment of services such as patch management and software distribution.

Step 4:  Improve End-User Experience

Security is often seen as too limiting for users, but by adopting a well-planned and implemented least privilege policy, enterprises can actually improve the user experience and give privileges back to those who were previously on excessive lockdown. 
When users make system-level changes, they can weaken the endpoint or introduce application clashes, which can have serious consequences. Following the example of devices like the iPad and Android Smartphones, which both operate in a curated environment, organizations can catalogue a portfolio of programs and applications that are needed and supported. Doing so will help track changes to the system and further secure the core system configuration. Furthermore, granting users feedback on activities, rather than completely blocking their access, will subsequently result in fewer help desk calls and will reduce the likelihood of “privilege creep”.

Step 5: Maximize Investment in Active Directory

Most Windows organizations have Active Directory but few realize its impact on achieving centralized management and business-policy driven architecture. Why not use the facilities already built into the product to enable a more efficient and productive IT system?

That said, there are limits to what you can do in terms of control and security, so the best option is to bolster security by using products that are tightly integrated with Active Directory, particularly third party least privilege solutions that enable integration. Doing so will provide more granular control, allowing admin rights to be easily removed without adversely impacting end users and ultimately productivity.

Step 6: Improve Network Uptime

Many organizations fail to recognize the connection between excess admin privileges and lost productivity. For example, without a privilege environment, an infected machine could issue a DOS (denial of service) attack undetected by the user, causing a flood of traffic over the network and bringing routers and switches to a halt.  Instead, a least privilege environment not only improves the stability of the desktop but it also improves the quality of the entire network.

Step 7: Regulatory Compliance

Demonstrating compliance can prevent regulatory fines - and a least privilege approach is at its core. Many compliance codes state, either implicitly or explicitly, that users should have the minimum amount of privileges to complete everyday tasks.

For example, PCI DSS  (Payment Card Industry Data Security Standard) states that the organization must ensure that privileged user IDs are restricted to the least amount of privileges needed to perform their jobs.

Step 8: Demonstrate Due Diligence

This goes hand in hand with Step 7, and at its heart helps educate staff about safe computing. Additionally a least privilege approach helps demonstrate to customers that you’re taking all reasonable approaches to protect their information. Many organizations and public services have been publicly named and shamed for data breaches, damaging their reputations and eroding customer confidence, which in turn lowers an organization’s ROI.

Step 9: Analyze Support Costs

Simply put, secure and managed systems are cheaper to support, which in turn makes security a business enabler as opposed to an initial expense.  The provision of a knowledge base and intranet will also help to reduce support incidents which impact directly on cost, and those who take a relentless incramental approach to their security will continue to see support costs reduce.

Step 10: Reduce Complexity

As we learned in Step 1, the likelihood of data leakage increases when users are able to make unauthorized and un-catalogued changes. Since systems are complex enough without the added complications that come with excess privileges, enterprises should thus simplify its security posture by replacing local administrative rights with standard user accounts.

Boiling these down to the basics, organizations should implement a security strategy tailored for its business objectives as a vital first-step in safeguarding  data. Next, removing admin privileges from the majority of users will lower support costs and mitigate security threats.  In order to maintain productivity, enterprises should give users flexibility to use the line of business software that they need.  On certain occasions, enterprises may also identify any users who may need additional rights to install approved software. Finally, enterprises should leverage least privilege management to achieve a smart balance for an IT environment in which everyone can still be productive while at the same time remaining secure. Introducing a least privilege approach really comes down to a logical decision – do you want the best of both worlds, productivity and security?

Cross-posted from SC MarketScope


Possibly Related Articles:
General Budgets Enterprise Security Policy Security Awareness Security Training
Information Security
Risk Management Access Control Network Security SysAdmin
Post Rating I Like this!
Rob Babb 2, and 3 become contradictory in the context of BYOD. Your employees will NOT allow you to manage policy on THEIR devices. If you allow ONE of their devices, they will expect you to allow them ALL.

If you want security with BYOD, you need to move to a model of Trust Nothing when it relates to the end point device and instead of executing client side code on that device you need to move to something like VDI or Application Streaming so the context of code execution happens on a device you do trust. Also, you need to think about removing things like VPN access as an entry method into the enterprise from those untrusted devices and instead use secure portal gateways.
Mikko Jakonen I like all the ideas to make IT security governance capable to work over threats and risks at large.

However, (my favorite word nowdays..) - I dont believe that even single one from the list actually enables data leaking prevention, outscoping risk management practice in general.

Currently, the only way to overcome data breach issues is to either restrict access to data in confined environments (very hard to accomplish) OR by using crypto that allows use of the data inside the 'enclave' where the data is allowed to be utilized.

In addition, same approach could be used to prevent un-necessary or potentially malicous data to enter organization. We all know this story already.

Anyway, key management shall be the pain even if rest of the service architecture can be enabled efficiently.
Larry Kovnat Where can you find a robust least privilege model? How about your multifunction printers? Controlling access and assigning privileges are a fundamental security goal. The article focuses on the desktop, but don’t forget the importance of setting policy and using the controls built into the many non-PC embedded devices that are also connected to your network. We share a wide range of printer- and MFP-related security perspective on
Larry Kovnat, Sr. Manager, Xerox Product Security
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.