By Joe Alecci, Senior Manager - IT Audit & Information Security
With the advent of new regulations, such as NYDFS Part 500 Cybersecurity Requirements and General Data Protection Regulations ("GDPR"), more focus has been placed on securing data in transit and data at rest. Data in transit is data that is actively moving through an internal network or flowing over the Internet to an off-site location. Data at rest is inactive data that is stored locally on a hard drive in a data center, on a local machine or on a mobile device, such as a laptop. While it is often thought that data in transit is easier for an attacker to obtain, it is often the opposite. From an attacker's standpoint, data at rest on your file servers and storage networks is much more valuable because that is where the bulk of nonpublic information resides (i.e., SSNs, account numbers,etc.). It is much more difficult to capture network traffic or data in transit because of the equipment, skillset and access to network media that are required. While moving data over the Internet is not without risks, an attacker will almost always want to take the path of least resistance such as obtaining a password through a Social Engineering campaign and not deploying a network sniffer.
While the exposure of data in any state is a risk and requires protection, there are different ways to take precautions. Encryption is probably the most common way of protecting data in any state. Most Internet traffic is encrypted through the use of secure connections (i.e., SSL, TLS,etc.), but what about data at rest? Since generally most institutions have Microsoft-based networks, the use of BitLocker encryption or Transparent Data Encryption ("TDE") is often used. BitLocker uses Advanced Encryption Standard ("AES") to encrypt the volumes on Microsoft Windows Servers and Workstations while TDE is used to encrypt Microsoft SQL Databases.
Although encryption is paramount, there are other effective measures in a layered security model that can be utilized to enhance data protection:
First, ensure that your firewall, intrusion detection/prevention systems and network access control points are properly configured and up to date with the latest versions, firmware and security patches.
No matter what state your data is in, the inherent risk should be based upon the criticality, sensitivity and/or value of the data to your organization and customers. Once you've identified your data, the next step is to classify your data to ensure that you are focusing on the right areas and that your resources are properly deployed. Remember, you need to win the war every day; a hacker only needs to win once!
To learn about P&G's IT/Cybersecurity Internal Audit & Risk Management Services, please email WhatsYourRisk@pandgassociates.com or call 877-651-1700.
Joseph Alecci, CISA, CISM, CISSP, CRISC
Associate Director, IT & Cybersecurity
Joseph Alecci leads the IT/Cybersecurity Audit & Risk Management Group at P&G Associates. He has over 20 years of experience in information systems and auditing management and is a member of the ISACA N.J. Chapter Board of Directors.