ANALYSIS: Taking the right response to data breach risk

10 Feb 2011

Security experts urge CIOs to take a close look at their systems to spot the real weak points.

In the wake of this week’s data breach at Recruitireland.com, security experts are warning IT chiefs to take prudent responses to protecting their systems.

Reports emerged earlier this week that the Recruitireland.com website was compromised, with attackers having accessed the names and email addresses of people registered to use the site. It follows revelations in January that Fine Gael’s site was attacked, and news of a breach of the GAA’s systems last year.

High-profile breaches such as these become public because they involve personal information being put at risk, but they don’t account for the majority of security incidents that typically face Irish businesses. According to security industry experts, CIOs should be wary of dropping all other priorities to guard against an attack that may be unlikely to occur.

“You could stop the rest of your IT, and put all of your resources into security for a year and still not be 100pc secure,” said Owen O’Connor, who heads the Irish chapter of the Information Systems Security Association.

He advised companies to go through any systems that are connected to the internet and to look for obvious weak points. He pointed to the Open Web application Security Project’s checklist of top 10 vulnerabilities as a good place to start, rather than just throwing money at the problem. “There’s no silver bullet, it’s about dealing with the low-hanging fruit. If some element of a system is protected by a default, easily guessed password, it doesn’t take $10,000 of security products to detect that.”

Reported rather than discovered breaches

However, many companies could do more to monitor their systems so they become aware of a breach rather than waiting for others to discover it first, O’Connor added. “One lesson you could definitely take is that these incidents were reported rather than discovered; both organisations were told about it rather than detecting it which is obviously the worst-case scenario.”

“The best question a managing director can ask is ‘tell me we’re not being complacent,’ ” said Dermot Williams, managing director of the IT security firm Threatscape. “You do have to reassess (security measures) from time to time because the risks are changing and your data is changing. Without being paranoid, you just have to be prudent.”

Williams pointed out that the sophistication required of an individual attacker isn’t what it used to be, as there are toolkits available to buy online for mounting attacks on websites. “It’s an interesting trend: with quite a number of the recent attacks, people almost immediately talk about how they have fallen prey to a sophisticated attack. It’s as if to say ‘we’re not to blame.’ The reality is, when they really do the post mortems, computers don’t make mistakes, people do, and the systems haven’t been secured correctly,” he said.

Responsibility for security

The worst assumption a company can make is to believe someone else has looked after security, especially where there may be multiple, but connected systems, such as a business application linked to a web server, connected to a firewall and a router, he added.

Under the Irish Data Protection Acts, ultimate responsibility for the safety of information lies with the organisation – or person – that has gathered that data in the first place, and not the outsourced provider or third-party firm.

According to Brian Honan, head of BH Consulting, a far bigger threat is the amount of Irish websites that are attacked through vulnerable back doors and which are then used to host malware or phishing sites.

Honan echoed calls for appropriate risk assessment when companies decide how they plan to tackle security. Any measures should depend on the kind of data the company uses, and whether it is published online. “Regularly check the controls, make sure antivirus is constantly updated and that people haven’t turned it off, or that they aren’t using weak passwords.”

Plan ahead

Aside from technology, good incident response planning can also help to minimise the impact of a possible breach, said Honan. “You may not be able to know exactly how a breach is going to happen, but at least have a crisis plan in place so you have proper resources to take action. Have those decisions made beforehand, such as who is going to talk to the Data Protection Commissioner, the gardaí, to clients and to the press,” he said. 

Lastly, Honan warned against seeing incidents like the Recruitireland.com or Fine Gael attacks as part of a trend. He said the GAA website breach last year was by a disgruntled employee of a third-party provider, while the Fine Gael attack was allegedly committed by the Anonymous group. “This isn’t Chinese cyber war, these are isolated incidents. I don’t think Ireland has suddenly arrived in the crosshairs of attackers,” he said.

Gordon Smith was a contributor to Silicon Republic

editorial@siliconrepublic.com