Page 10 - index
P. 10
the data, volumes of unprotected data will find itself on mobile devices or in the cloud,
where the device or storage isn’t protected. Here, we’re sharing three principles to keep
data protected that we share in discussions with businesses as they deal with end-of-
support of software and systems.
1. Run Supported Systems and Software. It bears repeating this straight-forward
advice. XP has already run past the typical 10-year Microsoft support cycle and
they have already posted warnings of the potential multiplication of “zero day”
attacks on the system after the April 8 support deadline. In part, that’s because
after the April deadline, there will be no more updates or security guarantees
from Microsoft. So, it just makes good security sense to get off XP and onto a
supported operating system for your business and personal use. This also opens
the conversation around security with all of the software and applications
connected to XP. Are these up-to-date? Beyond that, do they match today’s
threats and your own risk appetite?
2. For Enterprise Security, Start with the Data. The shift in operating systems
provides a chance to swap your security focus to the data itself, then the device.
Data-centric encryption, for instance, guards against attacks from hackers. This
keeps encryption both ahead of most threats and outpaces the slower rate of
change found with operating systems. Focusing on this type of data-centric
protection boils down to implementing controlled encryption, with policies in place
that include a contingency key with every encryption operation so that the
organization never loses access to the data, even as employees come and go.
3. Are You Really in Compliance? Put a different way, don’t make compliance
initiatives on security merely a checkmark in your strategy. Miss out on the
details of compliance as it relates to your security plan and you fail to protect
yourself from the bad guys and the auditor. For example, the Federal Information
Processing Standards, or FIPS 140-2, covers varying levels of encryption. What
government agencies need is a review of encryption products to ensure they are
all FIPS 140-2 compliant. From what we’ve seen in the past, this hasn’t stopped
some software from being passed off as “compliant” – and business users being
okay with that. For example, one government customer discovered that the
product they were using was incapable of providing any policy based
contingency keys or private key escrow, in addition to not being FIPS 140-2
compliant. They were left with gigabytes of encrypted, inaccessible, useless data.
If they had only implemented a FIPS 140-2 compliant, policy based encryption
solution with master key capabilities, all of their data would have been protected
10 Cyber Warnings E-Magazine – December 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
