Wieland Alge, Vice President and General Manager EMEA at Barracuda Networks, speaks on fighting virtual shadows to protect customer data from malicious intent, in the wake of the recent Barclays’ data breach.
TechRadar Pro: What did you make of Barclays Bank recently having thousands of customer details stolen and sold?
Wieland Alge: The plight of Barclays Bank, following the theft of thousands of confidential customer files, has once again thrust the issue of how organisations protect confidential data high up the business and consumer agenda.
Accountable heads are lifting from the global sands of ignorance as theoretical threats become real life scenarios that must be dealt with or expose data vulnerabilities which could see the downfall of even the most powerful brands.
TRP: In your experience, what are the expected repercussions from such a high profile breach?
WA: This confidential data belongs to the customer, not the enterprise. Customers very quickly turn away from brands that are shown not to be worthy of being trusted with confidential personal data. Ask yourself, how many chances would you give a bank that hands over your details to criminals with malicious intent?
TRP: How do you keep one step ahead of the criminal minds?
WA: Good question. So how does an enterprise IT department keep ahead of criminal masterminds?
Besides protecting against system failure, comprehensive data strategies must protect against a new generation of attackers that are improving their exploitation tactics greatly.
With tactics ranging from pop-up adverts and spyware to capture web browsing habits to the insertion Trojans or use of cleverly crafted queries designed to steal passwords and log-in information, there is malicious intent lurking in every virtual shadow.
To protect against these attacks, organisations must take into account the three core areas hackers can compromise online:
• Malicious People – the potentially dangerous people with whom users interact
The Barclays security breach highlights the vulnerability posed by people with the now infamous delivery to a national newspaper of a memory stick containing personal details of 2,000 customers.
• Malicious Places – the potentially dangerous destinations or URLs where users visit
The number of phishing campaigns worldwide increased by more than 20 percent in the third quarter of 2013, with crimeware (malware designed specifically to automate cybercrime attacks) evolving and proliferating, according to the Anti-Phishing Working Group (APWG).
• Malicious Things – the potentially dangerous objects/applications with which the user interacts
TRP: And is this not already happening? Surely there have been enough high profile hacks in the last six months to put this right at the top of IT agendas?
WA: Every day, more than 100,000 Web sites are running with the singular goal of spreading crime ware which can cripple the effectiveness of information security efforts.
WA: There is a gaping hole in today’s approach to security, and organisations are not doing enough to keep data safe.
The hackers have taken notice and shifted their attack mechanisms to bypass traditional security measures, and the security industry as a whole must do the same. More than ever, security needs to be intelligent, scalable, and always available wherever end users happen to be.
TRP: Is it only big businesses that can protect themselves against malicious activity?
WA: Not at all. SMEs are exposed to exactly the same IT threats as large companies but where international corporations employ large teams dedicated to IT security, an SME must do what it can with much smaller budgets.
Security has become a great deal cheaper over the past few years and professional solutions are affordable for smaller businesses. Technology therefore, is not the answer, but staff training.
Larger businesses have the financial ability to send team members for official training more easily than SMEs, so smaller businesses should also ensure that their teams are well educated internally on how they can keep their company’s data safe.
TRP: What kind of evolving tactics should IT professionals be wary of?
WA: Phishing, for example, has not only flourished, but evolved in recent years for businesses of all sizes, and we all know the consequences can lead to a tarnished reputation and loss of business.
A common form of attack now includes using email addresses stolen from specific databases using ‘SQL injection’ to launch targeted spear-phishing attacks against email users. To mitigate against this, protecting your databases using properly configured web application firewalls (WAFs) is a no-brainer.
General phishing attacks target a wide variety of people, typically flooding thousands of inboxes. However, spear phishing targets specific people or organisations.
Usually, the attacker will research personal information about the individuals in order to make their messages sound more convincing. The availability of personal information via social media has made this process a lot easier for cyber criminals, this stresses the importance that businesses must educate their users to be vigilant at all times, especially in their personal online activities.
So what’s your advice for anyone looking at the current Barclay’s situation hoping that it never becomes their own professional reality?
There are two basic rules, of equal importance, to adhere to when developing, implementing and managing data strategy:
Rule #1 for protecting your customers: Never lose their identity.
· Ensure clear accountability for protecting individuals’ privacy at all times.
Rule #1 for employees: Educate them to not put business related information at risk.
· Continually consider and address privacy concerns.
A comprehensive approach built on these two rules is the only way to stop malware, spyware, viruses, malicious content, and other threats in order to prevent hacking attacks.
The NTP is one of several protocols used within the infrastructure of the internet to keep things running smoothly. Unfortunately though, despite being vital components, most of these protocols were designed and implemented at a time when the prospect of malicious activity was not considered.
Anticipated or not, there will always be new and bigger threats to data to deal with. The best that organisations’ can do to protect their data, their customers and their reputations is ensure all best efforts are always being made to protect against them with thorough policy and process. Faith, honour and commitment should be shown to ‘The Rules’ at all times.