To Stop a Cyber Thief: Watch Your Data Flow
You’ve got the data and cyber thieves want it.
But, if you know how your data flows, you can start controlling who has access to it and how it’s classified.
“Customers look at their data and think that it’s just on their computer,” said Sword & Shield Security Analyst Rocky Breeden. “But really, that data is traversing the network and, if it’s in plain text and not encrypted, it’s up for grabs.”
Breeden said cyber thieves can get unencrypted data by having access to the network either internally or with a WiFi connection – and they are looking for specific information, mainly credit and debit card or banking account numbers. Health records are also on their radar because they contain large amounts of personal information that can be sold for profit.
Network security experts typically start protecting this data by first finding it and managing it. Then they learn how it flows in and out of the network. Security Analysts use log management systems such as Security Information and Event Management (SIEM) devices combined with data flow analysis tools and network diagrams.
A data flow diagram is a graphical representation of the “flow” of data through an information system, modeling its process aspects. A data flow diagram is often used as a preliminary step to create an overview of the system, which can be elaborated later. They show what kind of information will be input to and output from the system, where the data will come from and go to, and where the data will be stored.
To control data flow, Breeden said customers must use best practices to ensure that data isn’t captured by a cyber criminal. These include:
- Classification of data and creating a matrix (Confidential, Private or Top Secret, Secret, Etc.)
- Creating security controls based on classification
- Examining and monitoring logs in real time
- Performing internal audits on a regular basis (normally 90 to 180 days)
Firewalls, data-loss prevention systems, intrusion detection systems and access control lists all work well to control access, but only if they are configured and managed properly. Logs must be preserved so a possible security incident can be found, documented and, if necessary, acted upon.
While traditional security monitoring systems can help stop a cyber criminal in his tracks, these systems are rarely enough to react to today’s external, targeted, persistent, and zero-day threats. Therefore, many companies are replacing traditional point-in-time audits and compliance checks with a continuous monitoring program to help them prioritize controls and provide visibility into current threats.
“With a little time and effort we have been successful in stopping devastating attacks such as Cryptolocker, by doing our due diligence and monitoring logs in real time,” he said. “This type of monitoring can mitigate attacks and save revenue and reputation.”
Organizations need clear visibility into data regarding vulnerabilities, device behavior, system configuration and patch levels and into their overall security posture.
“We capture the data, correlate the data and then categorize it,” he said. “After that, we can determine whether it’s a threat or legitimate traffic.”