Earlier this year, the European Commission announced a comprehensive review of the EU’s 1995 data protection rules to strengthen online privacy rights in a bid to boost Europe’s digital economy.
Whether this goal will be achieved remains to be seen but, regardless of what it eventually decrees, increased privacy rights will be a given. While we wait to find out what the actual changes will be, organisations must act now to stay ahead of the game.
As you’d expect, the EU’s 1995 data protection rules govern how personal data is collected, what it is used for and dictates that organisations have an obligation to protect it from misuse.
The key changes to the reform that will make organisations sit up and take notice are:
- Serious data breaches will have to be notified as soon as possible (if feasible within 24 hours)
- Penalties will be increased. For example, in the UK at present, the ICO can penalise organisations up to £500K. Under the revised legislation this would increase to €1 million or up to 2% of the global annual turnover of a company.
The need for Change
The rulings date back to 1995 when the internet was virtually unheard of by many. While this technological advancement has revolutionised the way many businesses operate – in fact some wouldn’t even exist without it, it has also introduced a number of challenges.
For instance an organisation’s perimeter is no longer restricted to physical or even geographical boundaries. While good for trade in allowing practically any business to operate internationally, it can also allow hackers in to, and facilitate the easy transfer of corporate data out of, the safe confines of the network.
Unlike the physically connected desktops of 1995, today data can be transmitted wirelessly between a myriad of devices – Laptops, Smartphones, Tablets, USB sticks and the list goes on. The challenge for organisations is to prevent this multitude of endpoints facilitating data seepage.
Unfortunately, short of locking data away and never allowing anyone to access it, there is no one thing that can be done to minimise the risk of data breaches. Equally true, doing nothing is unacceptable and leaves the enterprise exposed to risk. Organisations need to mesh together appropriate procedures and policies to wrap the network in a security blanket that controls how data is accessed and what can be done with it.
The use of domains introduces control for specified groups of users and/or servers through a central security database. Once authenticated to a central server (or domain controller) users’ access to specific services, applications and directories can be restricted according to their job function or security clearance.
Taking this further, introducing GPO (Group Policy Object) organisations can define what a system will look like and how it will behave for specific user groups. For example, you can define registry-based policies, security options, software installation and maintenance options, and even folder redirection. In this way, GPO can be used to deploy anti-virus solutions, making sure every workstation in a certain domain is running the program and ensuring each is regularly updated and patched.
A typical barrier organisations encounter, especially when locking down workstations, is an increase in calls to the help desk from users trying to do something that they’re not ‘authorised’ to do. Depending on the controls introduced, this could be accessing a particular directory, installing a printer driver, or even allowing a piece of software to run. In an effort to circumvent this, UAC (User Access Control) was introduced, and is arguably still one of the most controversial technologies.
UAC allows users with local admin rights to authorise applications to run – more often than not with the user unaware of the security implications this can have. On the other hand, if the user is not given admin rights, he is prompted by UAC and has to call the help desk every time he wishes to run an application. In an effort to limit these prompts, a UAC slider was introduced in Windows 7 which effectively allowed users with admin rights to turn off UAC – leaving organisations vulnerable to the devastation that can go on in the background undetected.
A defense-in-depth approach is another practice few employ but is exceptionally effective when it comes to increasing security and ultimately data protection by removing means of attack. It refers to installing a layered security approach – such as anti-virus software, anti-spyware protection, combined with routine patching and maintenance of existing solutions plus disabling applications and software that isn’t needed.
Application whitelisting is an effective way to ensure only applications that you want to run within your environment are allowed to do so. Similar to a security guard, if the name’s not down it’s not coming in.
The threat from within
While each of the practices listed above will ensure a good strong enterprise, the one vulnerability that can’t be prohibited is the users. All too often it is the humans that introduce vulnerabilities.
We touched on this briefly when looking at UAC, but it is the routine practice of allowing users admin rights that can destroy an organisations security position. For example, once logged in as an administrator and with a little technical knowledge, a user can override controls, ignore patch requests or even switch off applications – such as anti-spyware protection, install unlicensed programs, access restricted directories, change settings, etc.
Key risks include the following:
- A user with excessive privileges can either deliberately or accidentally cause system configuration problems, resulting in downtime and increased desktop support
- Many malware writers have designed programs to actively seek admin accounts. As an administrator has full control over the system, so too will the malicious software as it will not need to find a security flaw to gain privileged access to the system. Malware can use this privileged status to install drivers, intercept logon passwords, create user accounts, install root kits, replace system files and disable security software. In fact many viruses fail to infect a computer where a user has standard rights, and there is strong evidence that running users with minimal rights greatly reduces the risk of virus infection
- Users with administrator rights are also free to install programs, which leads to unlicensed software installed on corporate systems and system stability problems.
A least privilege, and therefore least risk, strategy covers all other security measures like an umbrella, strengthening overall security even further. As we await the finer details of the reform one thing is a given – the more an organisation does to secure their data and comply with legislation, the less likely they are to fall victim and the lower the fine if they do suffer a breach.