Defending-Data-Smartly WHPDDS WHP Eng 0822
Defending-Data-Smartly WHPDDS WHP Eng 0822
Defending-Data-Smartly WHPDDS WHP Eng 0822
Security
2 DEFENDING DATA SMARTLY
CONTENTS
4 Introduction
4 Reactive DLP Misses Security Target
5 / Pretty Good Privacy
5 / Information Rights Management
5 / DLP Advances
6 Compliant Does Not Equal Secure
9 Privacy and Security Must Align
10 Security Strategy Can Be Smarter
13 Conclusion
14 Acknowledgments
ABSTRACT
Willie Sutton was a notorious bank robber in the early 1900s, known for his colorful
character and his alleged answer to the question of why he robbed banks.1 His answer 1
In a digitally dependent world, with our collective wealth moving from physical banks to
digital ones, our intellectual and digital value has also moved to an increasingly digital
model. We have become more reliant on a variety of digital data for the furtherance of our
species, yet continue to lose ground in the defense of this critical asset. Billions of dollars
have been spent attempting to better secure our systems, yet we have failed at protecting
our data.
In this white paper, you will learn both why this failure has happened and how we can
move past it by adopting a combination of technical solutions and strategic approaches
in order to successfully defend our data.
1
1
US Federal Bureau of Investigation, “Willie Sutton,” www.fbi.gov/history/famous-cases/willie-sutton
Introduction
Despite the billions of dollars spent to secure enterprise mortgaged their mileage programs to raise cash during
data, current solutions continue to fall short. If fully the pandemic.3 2
1
2
Kerner, S.M.; “34 Cybersecurity Statistics to Lose Sleep Over in 2022,” Tech Target, 15 March 2022, www.techtarget.com/whatis/34-Cybersecurity-
Statistics-to-Lose-Sleep-Over-in-2020
2
3
Genter, J.; “How Airlines Make Billions From Monetizing Frequent Flyer Programs,” Forbes, 15 July 2020,
www.forbes.com/sites/advisor/2020/07/15/how-airlines-make-billions-from-monetizing-frequent-flyer-programs/?sh=e99ec7d14e91
3
4
De Groot, J.; “What is Data Loss Prevention (DLP)? A Definition of Data Loss Prevention,” Digital Guardian, 1 October 2020,
https://digitalguardian.com/blog/what-data-loss-prevention-dlp-definition-data-loss-prevention. ISACA defines data loss prevention as detecting and
addressing data breaches, exfiltration or unwanted destruction of data.
Pretty Good Privacy IRM security restrictions for each enterprise are based on
a required granular, customized and well-crafted IRM
Pretty Good Privacy (PGP), released in 1991, was another
policy matrix. Therefore, IRM may be too cumbersome,
early technical attempt to standardize data protection
requiring enterprises to apply custom IRM rules at various
strategies for enterprises. PGP uses encryption to render
levels in their organizations.
data useless to anyone who maliciously collects them,
helping to secure the privacy of data within a transaction
and prevent the exposure of sensitive information. DLP Advances
Although PGP works well if users are the only ones As data compromises continued, internet service
accessing the data, its slow and cumbersome key system providers introduced email secure gateway (ESG)
requires users to have intricate knowledge of the system. technology that functions like antivirus and malware-
This makes it difficult to intentionally share data with defense programs and looks for patterns within emails.
others. Also, after PGP encryption keys are shared, the ESGs tag patterns recognized as potentially risky or
original user loses control over the data and the threatening and quarantine or remove them from within
encryption keys. The keys and the responsibility for the the content. The first iterations of email security gateways
data within an exchange are shared by all parties involved and pattern recognition were relatively effective, focusing
in the communication. This is antithetical to good security mainly on searching email files for common terms that
practice and, as a result, PGP is unable to truly scale at the might lead to data-breach activity. With the explosion of
enterprise or infrastructure level. digital content, the exponential growth of data exchange
across a variety of mediums and the ever-increasing
4
5
Musarubra®, “What Is Information Rights Management (IRM)?,” www.trellix.com/en-us/security-awareness/cybersecurity/what-is-information-rights-
management-irm.html
5
6
Ibid.
6
7
Ibid.
Generally, modern DLP solutions are based on one of two expensive to integrate and maintain, and a hindrance to
technical approaches: necessary information sharing across enterprises.
• Traditional—Provides coverage for data across components,
including the cloud, endpoints, network gateways and storage, Strategically, DLP technology fits well into the paradigms
of effective enterprise security strategy, but DLP and the
which requires powerful processing and computing capability. technologies that followed it are severely lacking because
Every transaction and exchange of data on an enterprise they are typically cumbersome for users, difficult and
expensive to integrate and maintain, and a hindrance to
system must be analyzed in real time, which is a herculean task.
necessary information sharing across enterprises.
• Agent—Uses kernel-level agents on endpoints to monitor
pump water safely to homes. Oil and gas systems must Nearly every major enterprise throughout the world has
be certified and compliant for them to deliver fuel. But had some form of data breach in the last decade, despite
having one or more compliance mandates. Far too many compliance scope around that specific information and
enterprises have multiple forms of compliance applied to those specific data should be a first-instance requirement.
their infrastructure, their personnel, their data, their Additionally, organizations should seek to gain visibility
business and their digital presence at a variety of points, and control over all payment channels that could result in
yet they are still breached. The number of breaches is up the compromise of cardholder information, should a
27 percent from just a year ago, and the costs of breaches malevolent actor breach the system.
are the highest they have ever been. Privacy stipulations
8 7
A great example of this is the Target® breach, wherein Another example of how easy it is to undermine the
Target was certified as PCI compliant weeks before the posture of a compliant organization is that of Sally Beauty
breach occurred. 11 10
Another example is Heartland Supply® system compromises. Sally Beauty Supply
Payment Systems®, which was certified as PCI compliant system administrators were using a Microsoft Visual
for six consecutive years before its breach. 12 11
Compliance Basic® script that allowed their network administrator to
does not equal security, although some organizations log in to an administrative system with default credentials.
believe that being compliant means being secure. Most The administrator was using a script that contained the
enterprises that have a compliance program focus solely administrator username and password to log in to an
on achieving compliance to conduct business, i.e., they administrative system.13 During the compliance audit, the
12
achieve compliance annually with an annual assessment Visual Basic script was not checked for stored
®
and are certified. Some organizations apply a point-in-time usernames and passwords. However, the adversaries
compliance approach to long-term security strategies. looked at the script and were able to leverage that to
Notably, most of those organizations fail to follow some cause a breach.
of the best practices and basic approaches that are noted
A further flaw with a singular focus on compliance when
by practitioners of security strategy.
conducting digital business, is that many organizations
Identifying and localizing the data and information where are continually working to reduce the scope of their
cardholder information is stored and defining the compliance needs in order to expedite the compliance
7
8
Lohrman, D.; “Data Breach Numbers, Costs and Impacts All Rise in 2021,” 10 October 2021, https://www.govtech.com/blogs/lohrmann-on-
cybersecurity/data-breach-numbers-costs-and-impacts-all-rise-in-2021
8
9
Verizon, “2022 Verizon Data Breach Investigations Report,” 24 May 2022, https://www.verizon.com/business/resources/reports/dbir/
9
10
Ibid.
10
11
Moldes, C.; “Compliant but Not Secure: Why PCI-Certified Companies are Being Breached,” 9 May 2019, CSIAC, https://csiac.org/articles/compliant-but-
not-secure-why-pci-certified-companies-are-being-breached/
11
12
Ibid.
12
13
Ibid.
of focus for compliance purposes exposed, they are most often a person’s name, followed
Trying to be compliant with everything, all the time, does by Social Security number, date of birth, current home
not work. It only adds to the complexity, which hurts an address and medical information.16 If the laws in place for
15
organization’s security posture. Trying to shoehorn nearly 20 years made a difference to data security,
compliance in terms of basic premises needs, without an breaches would not be increasing. Figure 1 depicts that
understanding of organizational risk (e.g., adversary the vertical markets that are the most regulated, with the
targets), complicates compliance initiatives because it highest legal and financial penalties for a breach, are also
skews the scope. A compliance audit and compliance the most-compromised vertical markets.
Source: Risk Based Security - Flashpoint. (2021). 2021 Year End Data Breach QuickView Report, https://pages.riskbasedsecurity.com/2021-year-end-data-breach-report
13
14
Johnson, B.; “Top 3 Audit Challenges and How to Overcome Them,” Netwrix, 13 January 2022, https://blog.netwrix.com/2019/01/16/top-3-audit-
challenges-and-how-to-overcome-them/
14
15
Identity Theft Resource Center, “2021 Annual Data Breach Report,” 1 January 2022, https://www.idtheftcenter.org/publication/2021-annual-data-breach-
report-2/
15
16
Ibid.
Figure 2 shows a sampling of the most recent enterprise easily in most instances, and in some cases repeatedly.
breach victims. Every breached enterprise in figure 2 had Sadly, compliance provides many organizations with a
either a well-funded multimillion-dollar compliance false sense of security. To best address their security,
program or, at the very least, had achieved a level of enterprises must concentrate on a risk-based approach
compliance for its business but was still breached. that aligns risk mitigations with the organization’s
Despite maturity of compliance programs or objectives and goals.17 16
Number of Compliance
Breached Enterprise Year Industry
Incidents Regulation
Iberdrola® 2022 1,300,000 Energy PII Data
International Committee of the Red Cross (ICRC®) 2022 515,000 Humanitarian PII–HIPPA
IKEA® 2022 95,000 Retail PII–PCI
Ancestry® 2021 300,000 Web PII–HIPPA
Ankle & Foot Center of Tampa Bay, Inc. 2021 156,000 Healthcare PII–HIPPA
AOL® 2021 20,000,000 Web PII
Apple, Inc.®/BlueToad™ 2021 12,367,232 Tech, retail PII
Apple® 2021 275,000 Tech PII–PCI
Apple Health Medicaid 2021 91,000 Healthcare PII–HIPPA
CyberServe® 2021 1,107,034 Hosting provider PII
NEC Networks, LLC 2021 1,6000,000 Healthcare PII–HIPPA
T-Mobile® 2021 45,000,000 Telecom PII–PCI
16
17
ISACA, CISM Review Manual 16th Edition, USA, 2021, https://www.isaca.org/bookstore/cism-exam-resources/cm16ed
17
18
Lomas, N.; “Most EU cookie ‘consent’ notices are meaningless or manipulative, study finds,” 10 August 2019, TechCrunch,
https://techcrunch.com/2019/08/10/most-eu-cookie-consent-notices-are-meaningless-or-manipulative-study-finds/
legislation is introducing new flaws into the digital data Facebook did not need to ask for users’ specific consent
security approach and strategy that organizations must to target them with ads, because every user already
address. Borders that are ethereal lines on a map cannot signed a contract with Facebook when they agreed to its
stop a digital transition from one space to another. The lengthy terms and conditions. Other countries in the EU
ability to enforce the controls needed for this type of noted that this draft was out of line with their
privacy legislation does not technically exist. requirements for GDPR and were willing to fine Facebook
for this approach. When Facebook did the math and
Borders that are ethereal lines on a map cannot stop a realized how much revenue it would lose by allowing
digital transition from one space to another.
GDPR requirements to stymie its approach, Facebook said
it would pay the fine. The fine for those GDPR violations
Enterprises usually try to address these unenforceable
would total about $36 million, which, based on financial
privacy requirements first, instead of applying technical
numbers published by Facebook, equals about three
controls that can keep data more secure while allowing
hours of revenue.20 After the draft publication became law
those data to be used for whatever transactional purpose
19
18
19
Greig, J.; “Irish regulators support Facebook’s ‘consent bypass’ legal maneuver, suggest $42 million fine for GDPR violations,” ZDNET, 13 October 2021,
https://www.zdnet.com/article/irish-regulators-support-facebooks-consent-bypass-legal-maneuver-suggest-42-million-fine-for-gdpr-violations/
19
20
Privay Affairs, “GDPR Fines Tracker and Statistics,” 2022, https://www.privacyaffairs.com/gdpr-fines/
Until security teams can know in real time who has approaches. As Zero Trust continues to evolve, and as the
access to their data, how they are using them, and why market’s defensive technologies enable that evolution,
those data are necessarily available to those users from a enterprises that have done the work of improving visibility
business perspective, enterprise data security will and understanding their valuable data assets can begin
continue to fail. Principles of need-to-know and least evolving their security posture.
privilege are imperative. Once enterprises have improved
Without having accurate inventory and data
visibility and understanding of their valuable data assets,
understanding first, an enterprise should not move into a
they can begin evolving their security posture.
Zero Trust initiative. In order to employ the correct
controls, an enterprise must know the following:
Principles of need-to-know and least privilege are
imperative. • What it is protecting
Implementing Zero Trust for data without breaking should have a deadline applied to them to either re-
business logic requires a careful shift away from legacy instantiate the access or at the very least revalidate the
20
21
ISACA, Zero Trust: How to Beat Adversaries At Their Own Game, 2022, https://store.isaca.org/s/store#/store/browse/detail/a2S4w000005DtLZEA0
The Zero Trust (ZT) paradigm should look like the wise. Anomaly detection and automated remediation are
following path (illustrated in figure 3), all bounded with an helpful means to power an effective response at scale
ephemeral control (token, etc.). when a threat is indicated. Bounding the access flow with
• Entity—Anything with an identity some time restriction further limits the potential spread of
• Device—Something that is connected a compromise when one occurs.
• Network—Any network
Enterprises can tie in newer approaches to data security,
• ZT Policy Engine
such as real time redaction of data that should not be
• Resource—Workload, app, asset inside an enterprise boundary
viewable by a user or entity, based on the policy engine
• Data—Only data needed for that entity to perform its task
control. Most data security compromises are not on an
Placing detection and response control and capabilities individual email or one-off communication; they are via
around the most valuable data objects and stores data stores and databases. Because DLP fails to address
protects them from the identities being misused through these issues, data redaction can be applied to those data
phishing or application security faults. This is strategically stores and the data within them.
On premises
Partners Servers Google SaaS
Customers Workloads Private PaaS
Robots IoT Managed IaaS
Zero Trust
Policy
Conclusion
In conclusion, it is critical to realize that compliant does users. An intelligent Zero Trust policy control paradigm
not equal secure and that privacy, while necessary, cannot that is tied to data security where data are most likely to
be achieved in an insecure infrastructure. Organizations be targeted—in the data stores—can finally realize an
should employ risk-based approaches to their defense, effective security strategy without applying the kinds of
evaluating their approach to data security from the blocks and sledgehammer controls that disable business
perspective of an adversary before systematically and and disempower users. In order to defend their proverbial
strategically removing that adversary’s route to victory. crown jewels (data), enterprises need to know what they
Doing so shifts the balance of power back to the are protecting and why.
defenders and ultimately will benefit the customers and
Acknowledgments
ISACA would like to recognize:
David Samuelson
Chief Executive Officer, ISACA, USA
Gerrard Schmid
Former President and Chief Executive
Officer, Diebold Nixdorf, USA
Bjorn R. Watne
CISA, CISM, CGEIT, CRISC, CDPSE, CISSP-
ISSMP
Senior Vice President and Chief Security
Officer, Telenor Group, USA
Asaf Weisberg
CISA, CISM, CGEIT, CRISC, CDPSE, CSX-P
Chief Executive Officer, introSight Ltd.,
Israel
About ISACA
For more than 50 years, ISACA® (www.isaca.org) has advanced the best
1700 E. Golf Road, Suite 400
talent, expertise and learning in technology. ISACA equips individuals with
Schaumburg, IL 60173, USA
knowledge, credentials, education and community to progress their careers
and transform their organizations, and enables enterprises to train and build
Phone: +1.847.660.5505
quality teams that effectively drive IT audit, risk management and security
priorities forward. ISACA is a global professional association and learning Fax: +1.847.253.1755
organization that leverages the expertise of more than 150,000 members who
Support: support.isaca.org
work in information security, governance, assurance, risk and privacy to drive
innovation through technology. It has a presence in 188 countries, including Website: www.isaca.org
more than 220 chapters worldwide. In 2020, ISACA launched One In Tech, a
philanthropic foundation that supports IT education and career pathways for
under-resourced, under-represented populations.
Provide Feedback:
DISCLAIMER
www.isaca.org/defending-data-
ISACA has designed and created Defending Data Smartly (the “Work”) smartly
primarily as an educational resource for professionals. ISACA makes no claim
that use of any of the Work will assure a successful outcome. The Work Participate in the ISACA Online
should not be considered inclusive of all proper information, procedures and Forums:
tests or exclusive of other information, procedures and tests that are https://engage.isaca.org/onlineforums
reasonably directed to obtaining the same results. In determining the propriety Twitter:
www.twitter.com/ISACANews
of any specific information, procedure or test, professionals should apply their
own professional judgment to the specific circumstances presented by the LinkedIn:
www.linkedin.com/company/isaca
particular systems or information technology environment.
Facebook:
www.facebook.com/ISACAGlobal
RESERVATION OF RIGHTS
Instagram:
© 2022 ISACA. All rights reserved. www.instagram.com/isacanews/