Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

Preventing Data Breaches: New Tools And Technologies

By - Source: Toms IT Pro
Tags :

As data breaches are on the rise, new security tools and technologies to prevent them are becoming available. Straight from the SecureWorld Expo, here are a few new security tools to consider.

This has been a difficult year for companies defending against cyber attacks. Entering the year on the heels of the massive breach of retail giant Target, 2014 has seen more than 600 breaches impacting more than 81 million records, according to the Identity Theft Resource Center's 2014 Data Breach Category Summary published earlier this week (Nov. 12, 2014).

The report breaks down breaches into five major industry verticals: Banking/Credit/Finance, Business, Education, Government/Military and Medical/Healthcare. In nearly 89 percent of the medical and healthcare breaches the number of records compromised were identified; this was true for 74 percent of breaches in education and 68 percent of the government and military breaches. However, only 33 percent of the businesses, and a mere 17 percent of the banks were able to identify the number of records breached.

Far and away the largest breach of the year so far is Home Depot, with more than 56 million credit and debit card files compromised, as well as a still-unknown number of customer email accounts, although the report notes that phishing attacks against Home Depot customers are ongoing.

MORE: Understanding Data Loss Prevention (DLP)
MORE: A Guide to Physical Data Center Security

ITRC says it collected and compiled data from published reports of breaches. It cites the web sites of state's Attorneys General as sources, as well as confirmed media reports and announcements from companies.

Not all breaches are massive exposing data of millions of users. In fact, the ITRC report ranges from the Pee Dee Regional Transportation Authority of South Carolina, which reported the loss of personal data on 50 current and former employees, to the City of Detroit, which reported that a malware attack exposed data on 1,700 Detroit Fire and Emergency Medical Services employees.

Some of the breaches were due to stolen hardware, while others were caused by an employee having unencrypted personal identifiable information (PII) of employees or customers outside of their offices, in violation of company policies. Phoenix-based Banner Health reported in February that Medicare identification numbers and Social Security numbers showed up on magazine address labels.

The results of the ITRC report are consistent in terms of identity theft with the Data Breach Investigations Report published earlier this year by Verizon Business. The Verizon report, however, includes non-breaches and data derived through forensic investigations that are not targeting identity theft. However, those attacks also show increases over years past.

While recent press reports indicate state-sponsored attacks from China and Russia were behind some recent notable breaches, including the U.S. Postal Service and some US weather satellites, the vast majority of the breaches cited by these reports over the past two years have been due to malware, attacks where financial gain appears to be the incentive, and from losses due to user or configuration errors. "Espionage is not one of the more common patters in the Public sector, but if you look solely at data breaches, it becomes quite prominent," the company stated in the Verizon DBIR endnotes.

New Security Tools And Technologies

But while the sheer number of breaches is increasing, this is happening, in part, because of better recognition and identification of attacks, experts agree. One approach to reducing data breaches is doing a better job at authenticating users and authorizing access. One specific approach gaining favor is multifactor authentication.

Many of the vendors at SecureWorld Expo in Bellevue, WA, which started the day after the ITRC report was released, displayed products designed for multifactor authentication or that have the technology built in. Hypersecu Information Systems, Inc., a provider of physical security and access management devices, unveiled the HyperOTP Ray, a self-programming one-time password token that can store multiple accounts on a single device. The token is designed for enterprise use but can also be used to protect consumer-type applications such as Facebook, online banking or Gmail, the company said.

Front and back of the HyperOTP Ray. Image courtesy of HypersecuFront and back of the HyperOTP Ray. Image courtesy of HypersecuUnlike many of the popular devices in use today, the HyperOPT Ray can be reprogrammed if the seed files are hacked or corrupted, said marketing representative Alita Blair. The unit is said to be more secure than using a cell phone with Google Authenticator because the phone is "only a soft token, whereas the Ray is a hard token," she said.

Storage vendor Apricorn Inc. of Poway, CA, displayed a variety of USB-connected storage devices that required either a passcode or fingerprint identification to access the device. A company spokesman says that adding security directly to a thumb drive or private cloud drive -- the company's Aegis Padlock that supports 256-bit AES-XTS hardware encryption -- now supports up to 6 TB of storage per device. This effectively adds another layer of authentication after the user logs on to their corporate system.

Also new at the conference was OpenDNS's Cloud Services Report that identifies Shadow IT functions within a company's cloud environment. This product is an extension of the company's current offerings, a spokesman said. Companies that currently use the company's services can simply add the Shadow IT identification function to their existing services, he added. The Cloud Services Report from OpenDNS went live the first week of November.

The reporting function is able to identify cloud services that are storing company data outside of traditional network controls. Because many cloud services are obtained by department managers directly and not run through the IT department -- services such as Google Drive, Dropbox, Gmail, Facebook and Salesforce, for example -- the IT and security teams need to ensure that they know where confidential data resides and that it is safe. That is the purpose of this new reporting capability, the company said.

MORE: A Guide to Choosing Electronic Signature Software
MORE: A Guide to Choosing an Endpoint Protection Solution
MORE: A Guide to Identity and Access Management Solutions