The headlines about the data breach on Facebook are still numerous.
Unlike website hackers, where credit card information was only stolen from major retailers, the Cambridge Analytica company in question had the right to use that information.
Unfortunately, they used this information without permission and in a manner that was obviously deceptive to both Facebook users and Facebook itself.
Facebook CEO Mark Zuckerberg has vowed to make changes to prevent this kind of information misuse from occurring in the future, but it seems that many of these optimizations are made internally.
Individual users and businesses still need to take their own steps to ensure that their information remains as secure and secure as possible.
For individuals, the process of improving online protection is pretty straightforward. This can range from leaving websites like Facebook to avoiding so-called free-play and quiz sites where you need access to your information and that of your friends.
A separate approach is to use different accounts. One could be used for access to important financial pages. A second and others could be used for social media pages. Using a variety of accounts can do more work, but adds extra layers to keep an infiltrator out of your key data.
Companies, on the other hand, need a more comprehensive approach. While almost all use firewalls, ACLs, account encryption, and more to prevent a hack, many companies do not keep the framework that leads to data.
An example is a company that uses user accounts with rules that enforce changes to passwords on a regular basis, but only laxly change the credentials of its infrastructure devices for firewalls, routers, or switch passwords. In fact, many never change.
Those who use web data services should also change their passwords. Access requires a username and password or API key that are created when the application is created, but are rarely changed. A former employee who knows the API security key for his credit card processing gateway can access this data even if he is no longer employed in that company.
It can get worse. Many large companies are using additional companies to help with application development. In this scenario, the software is applied to the additional companies & # 39; Server and can contain the same API keys or username / password combinations used in the production application. Since most are rarely changed, an angry third-party employee has access to all the information he needs to retrieve the data.
Additional processes should also be taken to prevent the occurrence of a data breach. These include …
• Identify all devices involved in public access to corporate data, including firewalls, routers, switches, servers, and more. Create detailed access control lists (ACLs) for all of these devices. Change the passwords used for frequent access to these devices again, and change them if a member of any ACL in that path leaves the company.
• Identify all passwords for embedded applications that access data. These are passwords built into the applications that access data. Change these passwords frequently. Change it when a person working on one of these software packages leaves the company.
• If you use third-party developers to help you develop your application, set up separate, third-party credentials and change them frequently.
• If you use an API key to access web services, request a new key if people involved in those web services leave the company.
• Understand that a violation will occur and develop plans to detect and stop it. How do companies protect against this? It is a bit complicated but not out of reach. In most database systems, monitoring is integrated and unfortunately it is not used properly or not at all.
An example would be if a database had a data table containing customer or employee data. As an application developer, one would expect an application to access that data. However, if an ad hoc query has been performed that queries much of this data, the properly configured database monitor should at least warn you that it is.
• Use change management to control changes. The change management software should be installed to simplify management and tracking. Lock all non-production accounts until a change request is active.
• Do not rely on the internal audit. When a company audits itself, it usually minimizes potential flaws. It is best to use a third party to verify your safety and policies.
Many companies offer audit services, but over time, this author has found that a forensics approach works best. The analysis of all aspects of the framework, the creation of guidelines and their monitoring is a necessity. Yes, it is tedious to change all device and embedded passwords, but it is easier to face public opinion in case of a data breach.