Insights into technology - Preventing data loss

Ryan English

August 1, 2008

A s security threats of corporate networks and databases are at an all-time high, recent studies indicate most data breaches could have been prevented with reasonable security precautions. Corporate executives and security managers mustn't delude themselves into thinking they are secure.

Here are the top IT security threats, and how to guard against them:

1. Web application exposure. Web application vulnerabilities such as broken access controls and failure to properly validate inputs are threats to any organization that has a Web site, especially those that collect confidential consumer data such as credit card, social security, and drivers' license numbers. Employ a qualified security assessor to evaluate the security vulnerabilities of Web applications at least annually or any time there is a new release or major change to the application.

2. Wireless networks. Most wireless networks are installed without wireless access points being properly configured to prevent unauthenticated users from accessing the corporate networks. Become aware of any unauthorized wireless access points and shut those down immediately. Make sure wireless access points are secure. Annual wireless security assessments are recommended.

3. Ineffective firewalls. A firewall that is improperly configured or is more than a year behind in patching is as good as having no intrusion prevention system at all. Organizations should assess the current security, policies and patch levels of firewalls on a routine basis. Install patches as soon as they are available.

4. Server configuration and patching. Externally facing servers often are running older versions of software that are more easily accessible to hackers. Regularly scan all network devices and servers to check current patch levels and identify potential security vulnerabilities. Keeping patches current can lessen the likelihood that a malicious attacker could compromise the device or that they could be infected with malware.

5. Social engineering. Phishing emails and phone calls are all it takes for an attacker to gain the confidence of unsuspecting personnel who will divulge confidential information. Conduct security awareness training with employees once a year to educate personnel on dangers of social engineering, preventing unauthorized access to facilities, and the organization's policies for disseminating confidential information.

6. Malware. Malware is malicious software that infiltrates or damages an organization's computer systems. It includes computer viruses, worms, Trojan horses, rootkits, spyware, dishonest adware, and other malevolent and unwanted software. One industry source estimates that more malware was produced last year than in the previous 20 years. Your organization has exposure to malware if you don't have technology covering anti-virus, anti-spyware, encryption, intrusion detection or malware detection. Organizations should continuously monitor their network devices, firewalls and servers for potential malware. Use monitoring software or outsource the monitoring of security devices to an external security company to identify threats and issue alerts on security events to help identify potential malware attacks.

7. Malicious Web sites. Users can fall victim to phishing attacks or introduce malcode, such as spyware, into their organizations by visiting unauthorized Web sites. Create corporate policies that describe acceptable employee computer usage, such as Web access, downloads, and opening email from unknown senders. Using Web filtering technology will help ensure that users aren't introducing dangerous code into the organization's networks.

8. Mobile devices. Remote and traveling employees pose a major threat and measures should be taken to ensure data loss prevention. Laptops and other mobile devices can be lost or stolen, and along with them go confidential data, and, too often, private customer data. Every mobile device and laptop containing confidential information should be fully encrypted if organizations are to protect fully themselves.

Ryan English is VP of product management at Vigilar Inc.