Eight Ways to Prevent Data Breaches
Perimeter CTO Kevin Prince has kindly offered up several tips for preventing a data breach.
The Epsilon breach has dominated the security news this weekend and it is easy to understand why. If you haven't heard, the breach revealed the customer email addresses of some major companies, including JPMorgan Chase, Kroger grocery stores, TiVo and Citibank. The breach of Epsilon, a marketing and communications company, was allegedly the work of an unauthorized source outside of the organization.
The businesses affected by the breach were quick to point out that no financial information or credit card information was involved. Obviously, that's a huge relief to all. However, the announcement makes it sound like an email breach is no big deal. My first thought was the potential for spam or the attempt to use those email addresses to eventually steal personal information.
Apparently, I'm not alone in those thoughts. In his blog, Brian Krebs points out a potential result to the breach:
Rod Rasmussen, chief technology officer at Internet Identity and the industry liaison for the Anti-Phishing Working Group, believes that the Epsilon breach will lead to an increase in "spear phishing" attacks, those that take advantage of known trust relationships between corporations and customers by crafting personalized messages that address recipients by name, thereby increasing the apparent authenticity of the email.
Anup Ghosh, founder and chief scientist for Invincea, believes the breach is a failure for the information security industry:
As an industry, info security has completely and utterly failed its clients; the corporations that drive our economies, the government that protects us, the citizens that rely on us to provide secure access to the digital world. While we fling FUD-mud at each other, jockey for position inside accounts, cling to cash cows that we know are ineffective, our adversaries continue to outpace us and rip down the very fabric we've built our businesses upon. Before we have another tradeshow or lavish party, as there's nothing to party about, we need to come together and collaborate to completely overhaul the entire InfoSec industry and we must do it now. It's quickly reaching the point where there will be nothing left to protect. We need to reconsider and reengineer the defenses that make up our existing strategies. This means we reengineer solutions from the ground up to be resilient to attack. Cynicism has gripped the industry and cynicism leads to defeatism. It's time to restore idealism to InfoSec as idealism promotes innovation.