Four IT Security Lessons to Learn From Anonymous’ Stratfor Hack
On Christmas Eve, while most of us were immersed in the holiday spirit, others were immersed in the sensitive information of Stratfor Global Intelligence Service’s client list.
A group of hackers, associated with the collective known as Anonymous, breached Stratfor’s systems, obtaining the credit card numbers, passwords and home addresses of the company’s customers. The group has already used this stolen information to make donations to charities, such as the American Red Cross. (This story keeps evolving as new information is released. For the latest updates, check out The New York Times topic page on Anonymous here.)
Breaches like this are happening so frequently (just follow the medical community for the evidence) that they’re becoming ho-hum. But that’s even more reason to question how they can happen in the first place. This is 2011, after all, and technology in organizations should, in almost every case, protect against something like this.
To help you ensure you don’t become the next Stratfor, here are four lessons in IT security that you can take to your organization.
1. To protect against data breaches, it’s not just the database that needs to be protected – it’s the documents.
The full picture of exactly what content was compromised from Stratfor is still unclear. But we do know that it went beyond the database to things like emails.
The reality is that sometimes, documents like PDFs and Word files have sensitive information like credit card numbers on them. To make sure they’re securely managed, an enterprise content management system should be able to provide granular levels of security down to the single document level, and can store them in an encrypted format.
2. An email might be a communication tool first. But when it contains sensitive information, it needs to be treated as a record.
We’re in a world where the amount of information is exploding, making it more complicated to determine which needs to be deemed necessary to manage within an organization’s content management system.
Hopefully, the Stratfor situation will put the focus back on the need to better manage sensitive emails and the way they’re archived, a piece of the IT security puzzle that’s often overlooked. Typically emails kept in Exchange or an email archive solution aren’t archived in an encrypted format. To create a complete solution, you should be able to configure an enterprise content management system to delete emails in the respective mail client once the email is archived in that system.
3. Encryption should be built into your software.
Storage and data archiving vendors, like EMC or IBM, provide a lot of security and data integrity controls in their systems. But you shouldn’t rely solely on your hardware to administer security on where your documents are residing.
ECM software should be able to encrypt documents and images at the physical storage level, protecting the data from unauthorized access to the physical drives. Documents that are archived in this way then can only be opened and viewed with ECM software interface, ensuring that the security controls imposed by the software are respected at all times, regardless of what happens to the hardware.
4. You can’t fully control your employees’ actions. But you can protect against it.
Every company has disgruntled employees, even a few willing to give up their login information to your enterprise systems - or more commonly, employees who mean well, but are fooled by hackers from time to time. Here’s how you can combat these situations (to a degree).
When it comes to documents, most ECM systems offer the capabilities to either automatically or on an ad-hoc basis do redactions on sensitive information that the majority of users in the organization don’t need to do their jobs. So, authorized users can still get access to the physical documents, but only certain people can see the actual information on the document, like a credit card number. This level of security is becoming more talked about with PCI compliance regulations.
The IT tools are out there to protect organizations. Hopefully this incident (and these tips) lights a fire under the IT departments who aren’t yet taking advantage.