Good: Companies Care About Data Privacy Bad: No Idea How To Protect It

Esther Schindler writes: Research performed by Dimensional Research demonstrated something most of us know: Just about every business cares about data privacy, and intends to do something to protect sensitive information. But when you cross-tabulate the results to look more closely at what organizations are actually doing to ensure that private data stays private, the results are sadly predictable: While smaller companies care about data privacy just as much as big ones do, they're ill-equipped to respond. What's different is not the perceived urgency of data privacy and other privacy/security matters. It's what companies are prepared (and funded) to do about it. For instance: "When it comes to training employees on data privacy, 82% of the largest organizations do tell the people who work for them the right way to handle personally identifiable data and other sensitive information. Similarly, 71% of the businesses with 1,000-5,000 employees offer such training. However, even though smaller companies are equally concerned about the subject, that concern does not trickle down to the employees quite so effectively. Half of the midsize businesses offer no such training; just 39% of organizations with under 100 employees regularly train employees on data privacy."

Fairly easy way to protect data.

[SuperKendall]

Never collect it to begin with.

Re:Fairly easy way to protect data.

[jellomizer]

All sounds good however... For a large organization such rules become impractical. To get full security there will be so much administrative overhead of approving access to a given area for so much time and back, that if you played by the rules you wouldn't get your job done timely. So you end up with "black market" IT where people will store backups of the data in say an access or excel files, and keep them hidden from the official system. Not because they have nefarious use of them, but because they will need to get their job done, and the official secure way is too impractical.

So let's say you were tasked to figure out if it was worth it it accept American Express, as AE charges a lot for its transaction. So you may need to figure out some numbers.
%of customers with AE
Average spending with AE
Average spending in total
Standard dev of spending with AE
Standard dev of spending total

Now because someone dropped the ball you will need this data quickly.
Putting a request to get this data may take days.

Re:Fairly easy way to protect data.

[peragrin]

The problem is step 4 is the issue.

using encryption correctly with access controls, is all but impossible with current OS's.

Very few OS's have the access control setup to properly limit. Most current forms of Access control assume a greater and greater level of access with each level. That still creates accounts which can access everything. You don't want that.

What is needed is an access level system that lets you install updates, maybe move files, but not read them. This way the system admin can't access your secure data period. He can move it, but he can't actually read the file itself. That way upper level executives who demand access to everything can get access to the data but not install malware. Even then there needs to be access level to restrict data from all but certain levels. So Accounting department can access your credit card information but the executives above them can't.

So a Mandatory/need to access form of Access control, not the pyramid type system used in place today where each person is a on a level, and a few at the top get everything.

Re:Fairly easy way to protect data.

1) Stop using cloud-infrastructure for storage.
Essentially the reason stuff gets stolen in the first place is because someone's client is compromised, which is a lot easier to do than hacking into the cloud storage itself.
2) Stop using virtual machines on "the real network", because it's a lot easier to just pull a virtual machine image, and run it on a "hostile" machine, all the well impersonating the hypervisor of the real machine. Why bruteforce over the network when you can just patch the login process to accept any password or key by accessing the storage itself.

Those are the most important "painting ourselves into a corner" we are doing to ourselves right now for both privacy and security. The average data leak right now is a result of using off-the-shelf open-source software like Wordpress, and not keeping on top of security updates to the entire *AMP stack. Nobody has time for this, and letting the computer update itself is an even WORSE prospect as it will restart itself and open itself to MiM attacks in the process, it doesn't matter if an update is signed if you can just hijack the entire update process to change the expected checksums.

Like right now, the weakest thing I have to deal with in linux is the auto-update process that doesn't work at all. Why does the yum have to take up 500MB of ram just to stay resident checking for updates. That is ass-backwards wrong and needs to stop. Someone please figure out how to make an auto-update process not grind the machine to a halt why they are at it.

So how do we protect privacy?
1) Stop outsourcing. This includes both "clouding" information, and hiring people outside the organization, or outside the country that need access to that data to do their job. Your phone company should not be outsourcing customer service to a third party, let alone a third party in India. The Indians in this case don't value privacy and will sell your private information for a nickel just because they can and can't be held responsible for it since they aren't in the US.
2) Make US Privacy laws explicitly prohibit the "clouding" or "outsourcing" of customer information. That information needs to be stored on company-owned-and-maintained hardware that has the safegaurds. There is no reason why a customer at Target should have their privacy information available to the check-out clerk by indexing their credit card number. That's beyond stupid. Every time we make things more convienent to a customer, we are putting their private information at risk. De-centralize data storage so that data acquired at one location isn't shared with other locations unless that customer opt's in to connecting it. That's how banks work. Banks somehow are less stupid on this front, but are still stupid about verification.
3) Social engineering... quit hiring morons. Instead of pushing down wages by constantly trying to poach smart people from other businesses to avoid training people to not be morons. Actually have internal security audits from "customers" that are really security people check that the representatives are doing their job properly and not just blindly believing every stupid thing someone says.

Re:Fairly easy way to protect data.

[Jawnn]

I can't imagine them making the leap to more loosely guarded information without a business case.

The business case is already there, unless you do business only in one of the few remaining states without a law that makes it truly painful to suffer a breach. But I get what you mean, even the reality of ruinous penalties, lawsuits, and bad PR is just theoretical to many decision makers. They won't part with a dime to mitigate security issues without at least a good scare or two.

Vested interest

[ArhcAngel]

You can't train an employee to care about someone else's data. If you make them take the course they will. They might even retain some of the message but when it comes time to put it into action it better not be more complex than pressing a button cause something else more important is calling their names.

Lots of tools, not a lot of experience

[mlts]

Elaborating on the concept, the good thing is that businesses have a lot of security tools that are not too expensive:

IDS/IPS.

AD's innate protection and logging.

Management and Alerting software like SolarWinds, SCOM/SCVMM/SCCM, or Splunk/Puppet/Chef/Webmin.

Encapsulating network segments by offering access to data without the ability to fetch the raw items, which can be done with App-V, Remote Desktop, or Citrix.

Disk encryption is in virtually every OS.

Basic routing/firewalling/segmenting either via dedicated appliances or a general purpose PC with a routing OS.

Virtualization/containers to separate applications from each other as well as completely revert the damage done to malware by snapshots.

Backup servers. Even a SMB can buy an edition of Windows Server 2012R2, enable the Essentials package, and back up a number of clients via a pull mechanism which prevents malware on the target clients from being able to tamper with or modify stored data on the server. For larger installs, MS's SCDPM is one alternative, NetBackup, TSM, and other enterprise tier utilities are another.

Now the bad news:

The tools we have are decent. However, it takes not just putting them together to make a cohesive security structure, but also putting policies, procedures, and dealing with the human element. Piss the employees off, and no amount of glued USB ports and Draconian policies will keep them from slurping data offsite out of spite. This is where the expenses come in. It takes people who know what the heck they are doing and know each tools uses and what they can't do (for example, not think that BitLocker to protect against threats over the network.)

A whitehat's job is hard. It requires a broad spectrum of knowledge of products, as well as being able to configure things in a failsafe manner [1] so if one item with security fails, all isn't lost.

Another problem is that there has been such a disincentive for so long for people interested in computer security. I have been told by managers at different companies, "Security has no ROI and if we do get hacked, Tata/Infosys/Geek Squad can fix the problem with a phone call." Because security has been hind teat in the IT world for so long, finding experienced people is hard, and can be expensive.

Maybe this will change, and if companies want security people, more people will start going that route, creating a positive feedback loop. However, I fear this is going to take a major event that causes loss of life before this ever will happen [2].

It may not have to be that expensive a fix... if Sony had an alerting system to notify their SOC that someone was brute-forcing AD, the attack against them likely would have been far less widespread.

[1]: For example, an anonymous FTP site would have the /pub directory NFS mounted read-only with permissions squashing root, but allowing everyone to read that directory. That way, if the FTP server gets compromised, the data offered for public FTP can't be tampered with. Of course, the intruder can dismount /pub and put their own Trojaned downloads in its place, but security is about mitigation about attacks as well as prevention, and cleaning up a hacked FTP server can just be as easy as rolling back to an earlier VMWare snapshot.

[2]: Before the term "cyber 9/11" was coined, it was termed the "Warhol event".

Training employees for security?

[DougPaulson]

How about encrypting the data and using PKI over VPN with a full irrevocable audit trail. The keys being stored on a portable hardware token.

Reality

[sublayer]

TFA: Just about every business cares about data privacy

Reality: Just about every business says they care about data privacy

The first line of the typical company privacy policy is "we value your privacy", but the next ten pages list all the ways they are going to violate it.

as much as big companies?

[Gravis+Zero]

smaller companies care about data privacy just as much as big ones do

so they care deeply until you ask them to spend money at which point they will do the minimum needed to avoid being sued. gotcha, they're directed by sociopath.

Cutting to the chase

[SuperKendall]

I like all those layers.

A simpler approach: All system developers dealing with personal data must place alongside any stored person data, their own personal SSN and login details for all of their banking and investment account, along with one embarrassing JPG.

Then just let them do whatever comes naturally.

Good: punctuation Bad: no punctuation

[pr100]

:/