It seems as though not a day goes by without a headline screaming that some organisation has experienced a data breach, putting the business – and its customers and partners – at risk. To keep your own organisation out of the news, it’s important to understand the most common causes of data breaches and what you can do to mitigate the threats they present. Show
1. Weak and Stolen Credentials, a.k.a. Passwords Hacking attacks may well be the most common cause of a data breach but it is often a weak or lost password that is the vulnerability that is being exploited by the opportunist hacker. Stats show that 4 in 5 breaches classified as a “hack” in 2012 were in-part caused by weak or lost (stolen) passwords! Simple Solution: Use complex passwords and never share passwords. 2. Back Doors, Application Vulnerabilities Why bother breaking the door down when the door is already open? Hackers love to exploit software applications which are poorly written or network systems which are poorly designed or implemented, they leave holes that they can crawl straight through to get directly at your data. Simple Solution: Keep all software and hardware solutions fully patched and up to date. 3. Malware The use of both direct and in-direct Malware is on the rise. Malware is, by definition, malicious software: software loaded without intention that opens up access for a hacker to exploit a system and potentially other connected systems. Simple Solution: Be wary of accessing web sites which are not what they seem or opening emails where you are suspicious of their origin, both of which are popular methods of spreading malware! 4. Social Engineering As a hacker, why go to the hassle of creating your own access point to exploit when you can persuade others with a more legitimate claim to the much sought after data, to create it for you? Simple Solution: If it looks too good to be true then it probably is too good to be true. If you were going to bequeath $10 Million US Dollars to someone you had never met, would you send them an email? 5. Too Many Permissions Overly complex access permissions are a gift to a hacker. Businesses that don’t keep a tight rein on who has access to what within their organisation are likely to have either given the wrong permissions to the wrong people or have left out of date permissions around for a smiling hacker to exploit! Simple Solution: Keep it Simple. 6. Insider Threats The phrase “keep your friends close and your enemies closer” could not be any more relevant. The rogue employee, the disgruntled contractor or simply those not bright enough to know better have already been given permission to access your data; what’s stopping them copying, altering or stealing it? Simple Solution: Know who you are dealing with, act swiftly when there is a hint of a problem and cover everything with process and procedure backed up with training. 7. Physical Attacks Is your building safe and secure? Hackers don’t just sit in back bedrooms in far off lands, they have high visibility jackets and a strong line in plausible patter to enable them to work their way into your building and onto your computer systems. Simple Solution: Be vigilant, look out for anything suspicious and report it. 8. Improper Configuration, User Error Mistakes happen and errors are made. Simple Solution: With the correct professionals in charge of securing your data and the relevant and robust processes and procedures in place to prevent user error, then mistakes and errors can be kept to a minimum and kept to those areas where they are less likely to lead to a major data breach. For a more comprehensive explanation of all the information explained above, as well as a more detailed look at some of the ways to prevent your business from falling foul of these common causes of data breaches, read Information Weeks The 8 most common causes of data breach For more information on how a Cyber Risk insurance policy can help your company recover should a data breach occur, just get in touch on 01905 21681 You just learned that your business experienced a data breach. Whether hackers took personal information from your corporate server, an insider stole customer information, or information was inadvertently exposed on your company’s website, you are probably wondering what to do next. What steps should you take and whom should you contact if personal information may have been exposed? Although the answers vary from case to case, the following guidance from the Federal Trade Commission (FTC) can help you make smart, sound decisions. Secure Your OperationsMove quickly to secure your systems and fix vulnerabilities that may have caused the breach. The only thing worse than a data breach is multiple data breaches. Take steps so it doesn’t happen again.
Mobilize your breach response team right away to prevent additional data loss. The exact steps to take depend on the nature of the breach and the structure of your business. Assemble a team of experts to conduct a comprehensive breach response. Depending on the size and nature of your company, they may include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management.
Stop additional data loss. Take all affected equipment offline immediately — but don’t turn any machines off until the forensic experts arrive. Closely monitor all entry and exit points, especially those involved in the breach. If possible, put clean machines online in place of affected ones. In addition, update credentials and passwords of authorized users. If a hacker stole credentials, your system will remain vulnerable until you change those credentials, even if you’ve removed the hacker’s tools. Remove improperly posted information from the web.
Interview people who discovered the breach. Also, talk with anyone else who may know about it. If you have a customer service center, make sure the staff knows where to forward information that may aid your investigation of the breach. Document your investigation. Do not destroy evidence. Don’t destroy any forensic evidence in the course of your investigation and remediation. Fix VulnerabilitiesThink about service providers. If service providers were involved, examine what personal information they can access and decide if you need to change their access privileges. Also, ensure your service providers are taking the necessary steps to make sure another breach does not occur. If your service providers say they have remedied vulnerabilities, verify that they really fixed things. Check your network segmentation. When you set up your network, you likely segmented it so that a breach on one server or in one site could not lead to a breach on another server or site. Work with your forensics experts to analyze whether your segmentation plan was effective in containing the breach. If you need to make any changes, do so now. Work with your forensics experts. Find out if measures such as encryption were enabled when the breach happened. Analyze backup or preserved data. Review logs to determine who had access to the data at the time of the breach. Also, analyze who currently has access, determine whether that access is needed, and restrict access if it is not. Verify the types of information compromised, the number of people affected, and whether you have contact information for those people. When you get the forensic reports, take the recommended remedial measures as soon as possible. Have a communications plan. Create a comprehensive plan that reaches all affected audiences — employees, customers, investors, business partners, and other stakeholders. Don’t make misleading statements about the breach. And don’t withhold key details that might help consumers protect themselves and their information. Also, don’t publicly share information that might put consumers at further risk. Anticipate questions that people will ask. Then, put top-tier questions and clear, plain-language answers on your website where they are easy to find. Good communication up front can limit customers’ concerns and frustration, saving your company time and money later. Notify Appropriate PartiesWhen your business experiences a data breach, notify law enforcement, other affected businesses, and affected individuals. Determine your legal requirements. All states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply to your situation. Check state and federal laws or regulations for any specific requirements for your business. Notify law enforcement. Call your local police department immediately. Report your situation and the potential risk for identity theft. The sooner law enforcement learns about the theft, the more effective they can be. If your local police aren’t familiar with investigating information compromises, contact the local office of the FBI or the U.S. Secret Service. For incidents involving mail theft, contact the U.S. Postal Inspection Service. Did the breach involve electronic personal health records? Then check if you’re covered by the Health Breach Notification Rule. If so, you must notify the FTC and, in some cases, the media. Complying with the FTC’s Health Breach Notification Rule explains who you must notify, and when. Also, check if you’re covered by the HIPAA Breach Notification Rule. If so, you must notify the Secretary of the U.S. Department of Health and Human Services (HHS) and, in some cases, the media. HHS’s Breach Notification Rule explains who you must notify, and when. Notify affected businesses. If account access information — say, credit card or bank account numbers — has been stolen from you, but you don’t maintain the accounts, notify the institution that does so it can monitor the accounts for fraudulent activity. If you collect or store personal information on behalf of other businesses, notify them of the data breach. If Social Security numbers have been stolen, contact the major credit bureaus for additional information or advice. If the compromise may involve a large group of people, advise the credit bureaus if you are recommending that people request fraud alerts and credit freezes for their files. Equifax: equifax.com/personal/credit-report-services or 1-800-685-1111 Experian: experian.com/help or 1-888-397-3742 TransUnion: transunion.com/credit-help or 1-888-909-8872 Notify individuals. If you quickly notify people that their personal information has been compromised, they can take steps to reduce the chance that their information will be misused. In deciding who to notify, and how, consider:
For example, thieves who have stolen names and Social Security numbers can use that information not only to sign up for new accounts in the victim’s name, but also to commit tax identity theft. People who are notified early can take steps to limit the damage. When notifying individuals, the FTC recommends you:
State breach notification laws typically tell you what information you must, or must not, provide in your breach notice. In general, unless your state law says otherwise, you’ll want to:
Consult with your law enforcement contact about what information to include so your notice doesn’t hamper the investigation. Tell people what steps they can take, given the type of information exposed, and provide relevant contact information. For example, people whose Social Security numbers have been stolen should contact the credit bureaus to ask that fraud alerts or credit freezes be placed on their credit reports. See IdentityTheft.gov/databreach for information on appropriate follow-up steps after a compromise, depending on the type of personal information that was exposed. Consider adding this information as an attachment to your breach notification letter, as we’ve done in the model letter below. Include current information about how to recover from identity theft. For a list of recovery steps, refer consumers to IdentityTheft.gov. Consider providing information about the law enforcement agency working on the case, if the law enforcement agency agrees that would help. Identity theft victims often can provide important information to law enforcement. Encourage people who discover that their information has been misused to report it to the FTC, using IdentityTheft.gov. IdentityTheft.gov will create an individualized recovery plan, based on the type of information exposed. And, each report is entered into the Consumer Sentinel Network, a secure, online database available to civil and criminal law enforcement agencies. Describe how you’ll contact consumers in the future. For example, if you’ll only contact consumers by mail, then say so. If you won’t ever call them about the breach, then let them know. This information may help victims avoid phishing scams tied to the breach, while also helping to protect your company’s reputation. Some organizations tell consumers that updates will be posted on their website. This gives consumers a place they can go at any time to see the latest information. Model LetterThe following letter is a model for notifying people whose Social Security numbers have been stolen. When Social Security numbers have been stolen, it’s important to advise people to place a free fraud alert or credit freeze on their credit files. A fraud alert may hinder identity thieves from getting credit with stolen information because it’s a signal to creditors to contact the consumer before opening new accounts or changing existing accounts. A credit freeze stops most access to a consumer’s credit report, making it harder for an identity thief to open new accounts in the consumer’s name. [Name of Company/Logo] Date: [Insert Date] NOTICE OF DATA BREACH Dear [Insert Name]:
[Insert closing] As noted above, we suggest that you include advice that is tailored to the types of personal information exposed. The example below is for a data breach involving Social Security numbers. This advice and advice for other types of personal information is available at IdentityTheft.gov/databreach. Also, consider enclosing with your letter a copy of Identity Theft: A Recovery Plan, a comprehensive guide from the FTC to help people address identity theft. You can order the guide in bulk for free at bulkorder.ftc.gov. The guide will be particularly helpful to people with limited or no internet access. Optional AttachmentWhat information was lost or exposed?Social Security number
For More Guidance From the FTCThis publication provides general guidance for an organization that has experienced a data breach. If you’d like more individualized guidance, you may contact the FTC at 1-877-ID-THEFT (877-438-4338). Please provide information regarding what has occurred, including the type of information taken, the number of people potentially affected, your contact information, and contact information for the law enforcement agent with whom you are working. The FTC can prepare its Consumer Response Center for calls from the people affected, help law enforcement with information from its national database of reports, and provide you with additional guidance as necessary. Because the FTC has a law enforcement role with respect to information privacy, you may seek guidance anonymously. For additional information and resources, please visit business.ftc.gov. Which type of data storage allows for the most variety of data types?Which type of data storage allows for the most variety of data types? A data lake, is a collection of both structured and unstructured data, allowing for more diverse data formats such as video streams or IoT sensor data.
Which of the following is a request for specific data from a database?A query can either be a request for data results from your database or for action on the data, or for both. A query can give you an answer to a simple question, perform calculations, combine data from different tables, add, change, or delete data from a database.
Which field could serve as the primary key for a list of students in your school quizlet?For example, in your student record, a primary key might be your student ID or Social Security number because no other student at your school will have the same number as you do. In this table, two students have the same name.
Which of the following is not an Rdbms?Answer : Option b. Drupal is correct. Drupal is not an RDBMS software.
|