Avoiding a breach: Advice for managers from security experts

October 04, 2011

Every month or so another high-profile computer security breach hits the headlines, involving exposure of sensitive consumer information, uncovering of classified documents or disruption of corporate and government websites and systems.

Why are these breaches happening so often, and at such high levels? What should managers do to reduce the risk of a security incident? The W. P. Carey School’s Department of Information Systems is home to a group of researchers who study various aspects of information systems security. KnowIT asked these experts to share their insights about root of the problem, and suggest what managers can do to keep their databases out of the news.

Know your threat

“What most people are reading or hearing about in the news are successful cyber attacks that have already been ‘in the making’ or in progress,” said Robert Mejias, a Clinical professor of Information Systems. “A successful cyber attack means that attackers have already identified, probed and breached the organization for system vulnerabilities, and have quickly and brutally exploited them. And these cyber attackers will continue to successfully exploit these system weaknesses without the organization even detecting it.”

To appreciate how sophisticated a successful cyber attack can be, Mejias said there are three important concepts one must understand:

• Cyber threat – A potential action that could compromise the security or availability of information system resources, or violate the organization’s information security policy. Cyber threats include but are not limited to viruses, worms, denial of service (DoS) attacks, botnets, DNS attacks, virus hoaxes, steganography, EMP bombs and SCADA attacks.

• Attacker exploits — Specific techniques, tools or methods used by cyber attackers to take advantage of a particular weakness in an information security system. Examples of attacker exploits are reconnaissance, foot printing, scanning, sniffing, DNS enumeration, phishing, social engineering, and hacking/cracking passwords.

• Cyber attack — The materialization of a cyber threat and the deliberate exploitation and breaching of an information system’s security weakness.

“There is not much organizations can do once their data and information resources have been exploited, attacked and breached,” Mejias said. “Except for mitigating the damage that has already occurred, it is just too late for preventive strategies.”

Altaf Ahmad, a clinical assistant professor of information systems, said another form of security breach currently in vogue is website defacement. Website defacement has been around for a while, but what is new is the motivation of hackers. Previously, hackers used to change or damage websites with primarily the intent of highlighting their ability to do so.

“What we are now seeing is a form of online political activism, or ‘hacktivism,’” Ahmad said. “Consequently, you have a number of online groups attacking and defacing high profile websites by posting damaging content or targeting specific organizations to make a public statement against them. Part of the attraction of hacktivism is the increased media coverage.”

Prevention is key

Recently, hackers were able to access credit card information for 77 million Sony customers. In another incident, an attack on LulzSecurity (LulzSec) laid bare sensitive records from the Maricopa County Sheriff’s Department. Bottom line – managers are responsible for making sure that devastating events such as these cannot occur.

However, prevention is easier said than done – especially if a company lacks initiative, expertise and/or money.

Paul Steinbart, professor of information systems, said the complicated nature of information systems often paralyzes managers and executives, preventing them from moving forward. He cites what he calls “the cascading effect:” changes to one system can force changes to another connected system and another, and so on. Soon, what seemed simple to fix has become a major overhaul.

“I will acknowledge that it is possible to overspend or over-invest in security, but with most companies the problem is the opposite -- there is an under-investment,” Steinbart said. “Not necessarily on purpose, but because of the complexity of what’s involved.”

Steinbart also looks at what he terms “the around to it” problem. When a company is in a hurry to institute a new system or website it’s tempting to delay dealing with possible security weaknesses until there’s more time to get around to it.

“Of course, as we all know, you never do get around to doing the things you postpone doing,” he said.

And then, of course, there is the issue of money. With the effects of a brutal recession still lingering, many a corporation and government agency has been forced to lay off workers and hold back on capital expenditures and employee training. Cutting back on employee training in particular, Steinbart said, has helped to create the current environment where information systems have become especially vulnerable.

“Your systems security people need continuing education. Training is wrongly considered a discretionary item and, therefore, often gets short-changed, especially in recessionary times. Then the company is surprised that their people weren’t on the ball and didn’t know about and stop this latest (security breach technique),” he said. “You’ve prevented them for getting any training and you’ve asked them to work more hours — what do you want, what do you expect?”

While IS managers are the ones officially entrusted to protect a company or agency’s cyber security measures, employees sitting in corner offices or cubicles must also be considered, said Benjamin Shao, associate professor of information systems.

The millions of employees who access the Internet while working on server-linked computers may unwittingly open doors to hackers. Shao suggests that employees be trained to be more aware of their online actions. He also advocates longer passwords – called passphrases that are not shared and only meaningful to users -- and emphasizes the use of different passwords for different accounts.

Otherwise companies risk the domino effect. “If an employee uses the same password over and over across different websites and systems and across different accounts, once a bad guy gets the password he or she can access many, many of your accounts,” Shao said.

Ahmad warned that even if employees are adhering to security protocols for passwords and are taking other measures to protect security-related information, they still must be informed of the more innocuous methods some hackers are using to gather sensitive data.

“Using what has been termed ‘social engineering,’ people are able to get snippets of information from employees,” Ahmad said. By itself a snippet may not be sensitive. “But combined with other information, it can possibly allow a malicious person to feign a certain level of authority over the phone, resulting sometimes in getting access to security credentials,” he said.

Raise a red flag

Mejias calls for companies and agencies to institute information security awareness programs for the entire organization, underscoring the full impact of successful cyber attacks and what individuals can do to prevent them. He likens such programs to the safety first measures enacted by corporations and government agencies in the 1950s and 1960s that were focused on making employees aware of industrial espionage. Few organizations make serious efforts to institute information security awareness programs, he said.

The reason for this, according the Shao, is that companies, like consumers, play a game of chicken. Many consumers who buy online and give out personal information in the process think that if nothing bad has happened yet, it most likely won’t, Shao said. When something does happen, however, the impact can be devastating for consumers and companies alike.

“I think managers have to take a different attitude. Security breaches represent low-probability but high-impact events, which means they do not happen very often but if they do, the consequences can be severely damaging.” Shao said. “Research shows that when people deal with potential loss, they tend to be more risk seeking and hence take on more unnecessary risks.”

Shao suggested companies should regard security measures as a way to advance the business, through increased consumer satisfaction, and to enhance the protection of its proprietary and valuable information. “When there is something to gain,” Shao said, “people tend to take fewer risks.”

“That’s the attitude managers should have when dealing with a potential security problem,” he said. “You want to be risk averse, and take more security measures if there is enough resource to do so.”

With the right information, the weakest link in the security chain — people — can become the strongest, Steinbart added.

Data pollution

With the advances being made in technology, companies are increasingly gathering more and more information from each other and consumers. Associate Professor Marilyn Prosch calls this “data pollution.”

Prosch, who helped to create one of the world’s first data-privacy research labs (the department’s Privacy by Design Research Lab) maintains that the current volume of stored data is overpoweringly tempting to hackers. By storing so much data, organizations are actually enabling security breaches, she said.

To minimize data pollution, Prosch offers companies the following 10 tips:

1. Don’t collect data just because you can.
2. Don’t keep data longer than you need it.
3. Honestly disclose to your customers what data you collect and how you do or do not protect it.
4. Know the international, federal and state laws and regulations that apply to your business and make sure you are in compliance.
5. Properly and thoroughly destroy all forms of personal information, including hard copies.
6. Appoint a person or team in your organization to be responsible and accountable for protecting personal information.
7. Determine the “shelf life” of any data you collect so you don’t keep it beyond its necessary use.
8. From time to time review your data practices and update them when needed.
9. Ensure security practices are up-to-date, appropriate and being followed.
10. Train employees to know what is and is not appropriate access, use and disclosure of the personal information residing in a company database.

“In general, everyone in the Information Age tends to think data is an asset and that if you can collect it, then you should; after all, it’s cheap to store,” Prosch said. “However, businesses are starting to see this can be a liability. We teach data minimization. If you don’t need it, then don’t collect it, and only keep what you need for the required amount of time.”