This article can also be found in the Premium Editorial Download "Information Security magazine: Security Readers' Choice Awards 2008."
Download it now to read this article plus other related content.
Even security-minded organizations can trip up on common misconceptions that lead to breaches and bad publicity.
It's not like they don't have security strategies or aren't taking steps to meet regulatory requirements. Organizations stumble when they assume certain solutions provide greater levels of security than they actually do, or that certain processes are immune to security breaches. These assumptions lead to what I call "gotcha moments" that often result in data leaks and negative publicity.
Here are some misconceptions and mistakes that can garner a company unwanted media coverage:
If it's encrypted, you're safe. Encryption is a great way to protect sensitive information, and if done correctly, helps an organization meet most industry and regulatory data security requirements. It also means, in most cases, an exemption from many of the breach notification laws. But just because information is encrypted doesn't always mean it's secure; the methods used to create and manage encryption keys are critical. Some organizations provide developers, administrators
| and users with the encryption keys and some even store the keys within the same database where the encrypted data is stored--practices that undercut encryption's effectiveness.
Enable WPA2 on wireless networks and you're secure. It's a common misconception that enabling the latest wireless authentication and encryption standard, WPA2, eliminates the vulnerabilities associated with wireless networks. But unless the wireless client settings are properly configured and locked down, wireless networks are vulnerable to access point impersonation and man-in-the-middle attacks. It's fairly trivial to set up a rouge access point that impersonates a valid access point to trick users into associating with an "evil twin," where they are presented with what looks like a corporate login screen.
Policies are only for big companies. Regard-less of size, an organization must have information security policies, but many small- and medium-sized businesses don't take the concept very seriously. Some have operated for years with no IT policies, yet store sensitive credit card information. These companies have implemented security technology, but suffer from single-mindedness--that technology alone can solve a problem. No matter how much you have invested in security technology, it won't be effective without management-approved policies.
Store sensitive data indefinitely. Some companies never delete anything they gather about their customers, even sensitive information. The mistake is assuming that the same processes for collecting data that worked years ago still work today. With much more information being collected and stored digitally, the threats posed by sophisticated hackers are greater and require improved security.
Give employees access to everything. Some organizations allow almost all of their employees and contractors access to sensitive customer data without any real justification. They claim it's too much work to manage the access controls needed to appropriately limit access to such information; they have other priorities. Some of the largest cases of sensitive data disclosure or misuse started with an insider.
Don't get caught in a "gotcha moment." If your organization avoids practices like these, it won't make headlines for the wrong reasons.
Kenneth M. Smith, CISSP, is a principal security consultant for Akibia, in charge of vulnerability assessments and risk management services. He is a QSA, CISA, and a GIAC Certified Incident Handler (GCIH). Send comments on this column to firstname.lastname@example.org
This was first published in April 2008