How To Prevent A Data Breach

Taking Stock of Your Data

The first step in securing your data is to get a complete list or map of where your data currently is and how it is secured.

• Storage Hardware and Firmware - On Premises: Identify every computer, mobile device, network addressable storage device (NAS), rack-mounted system, local Cloud device, and Internet of Things (IoT) device on your local network, in your device pool, or sitting in your local building (networked or not). If you don’t have a current inventory, it’s time to take one. Every device that can store data permanently goes on this list. The reason is simple - you can’t possibly secure all of your data if you don’t know where it is. And firmware controls some of the most basic security settings on these devices.
• Networking Hardware and Firmware - On Premises: Next you need to look at every device that can examine, pass through, or cache data on the network. Identify all of your switches, routers, firewalls, load balancers, modems, gateways, hubs, security appliances, printers, network appliances, IP phones, IP security cameras, terminals, and public interfaces. If it can touch the network, it goes on this list. Again, the firmware for these devices is critical to data integrity.
• Off Premises Storage And Networking Hardware: Now do the same thing for any hardware hosted offsite. This might be in satellite offices, deployed to client sites, in home offices, hosted in data centers, in retail locations, kiosks, hotspots, on vehicles, deployed in the wild, or hosted in public locations.
• Cloud Storage: Next you need to discover all the different Cloud storage solutions and virtual machines (VMs) being used, whether that means public Cloud or solutions you set up yourself. Anything stored in the Amazon Cloud (AWS), Google Cloud or Drive, Microsoft Azure or Onedrive, Dropbox, iCloud, Box, or any industry or application-specific Cloud storage mediums must be accounted for.
• Cloud Services: This includes free, subscription, and self-owned software or apps that are hosted in the Cloud, any of which might have identifying or financial data attached (to the account itself or as part of using the service). It also includes Cloud systems that you or your company set up for internal and external use like Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) solutions. In addition to the common Cloud service providers (Amazon, Microsoft, Google, etc.), the entire Google suite (Gmail, Docs, etc.), Adobe suite, banking and finance apps, web hosting, and industry-specific Cloud services must be considered.
• Software Licenses and Subscriptions: Both free and paid licenses must be considered, including operating systems (macOS, Windows, Linux, Android, etc.), document suites (Office, Adobe, etc.), creative suites, games, utilities, and apps on mobile devices.

Once you have a handle on the hardware, firmware, and software that holds, manipulates, caches, or transmits your data, you are in a position to do an analysis of the security of everything that touches your day-to-day activities.

Prepare To Automate!

This next step is critical. Unless you want to be locked in a constant battle of software, firmware, and hardware upgrades, you must put some kind of automation in place to keep everything up to date! It’s likely that as a home user, you have dozens of entries on the list created above. A business likely has hundreds of things that need updating at minimum, more likely thousands or tens of thousands.

Another reason to automate is to create sane backups automatically. You never know when your particular combination of hardware, firmware, and software will create troublesome or fatal errors. Automatic backups (as well as nightly incremental backups on critical systems) will save a lot of heartache in the long run. Some operating systems like Windows can create periodic ‘restore points’ automatically as well, which can help if a rollback needs to happen in the future.

Automatic updates should be turned on as much as possible. On some mission-critical and public-facing servers, updates will need to be tested in a sandbox environment first. Some or all of that testing can also be automated.

The point of this is to stay up to date on critical security updates. Zero-day exploits, though they get a ton of press, are actually rare in comparison to hackers exploiting known, existing bugs. That’s why one of the most common issues in both personal and business computing is lingering vulnerabilities from unpatched systems. Automation is the cleanest way to combat this. It’s simply unrealistic to manually patch everything, even for a full-time IT organization.

For anything that doesn’t have automatic updates, regularly scheduled reminders should be implemented to manually update entire categories of hardware, firmware, and software. For businesses, update windows can be slated for the least active days and hours in order to minimize disruption. The categories being updated should be shifted on a regular basis (weekly or monthly) so that everything is updated multiple times per quarter if possible.

But updates are only half the battle. Next, we have to examine what systems have the most sensitive data and the most high-risk access policies.

Identifying Sensitive Data

There are two types of sensitive data to consider.

The first is nonpublic personal information (NPI). Every country and territory defines NPI slightly differently, but in general, it includes information such as:

• Name
• Address
• Date of Birth
• Social Security Number
• Driver’s License Number
• Income
• Account Numbers
• Account Balances
• Tax Returns
• Payment History
• Loan or Deposit Balances
• Credit or Debit Card Number and Purchases
• Court Records
• Debts, Binding Settlements, and Liens
• Non-Public Consumer Reports

The second set of information is broader. Personally identifiable information (PII) is another definition that will vary depending on local law, but generally includes all of the above NPI information, plus:

• Usernames, Aliases, Nicknames, and Unique Personal Identifiers
• IP Address
• Browser Fingerprint Information
• Device Fingerprint Information
• Email Address
• Account Name
• Owned Intellectual Property
• Patent Contribution Information
• Non-Disclosure Agreements and Related Activities
• Correlations With Third-Party Authentication
• Non-Public Property Records
• Transaction History
• Biometric Information
• Internet Activity, Service or Protocol History, and Browsing History
• Geolocation
• Audio, Voiceprint, Brainwave, or Other Stored Sensory Data
• Employment Related Data
• Protected Education Data (FERPA)
• Metadata and Metadata Analysis Results for All of the Above

Determining what systems store, route, cache, and process all of the above information will determine proper encryption levels and access control policies to put in place.

Establishing Sane Access Control

Once the systems dealing with NPI and PII data are identified, access control lists for those systems need to be reviewed. For each system dealing with sensitive data, the following questions need to be answered and appropriate access control list (ACL) modifications made:

• What level of authentication is required to access this information?
• What level of encryption is being used to protect this information?
• Are all text formatted lists with any of this information salted and hashed?
• Are all databases with any of this information properly encrypted and secured?
• Do contractors have access to this information, and are they monitored and audited?
• What interfaces (APIs, RPAs, user frontends, etc.) have access to this information?
• What automation (bots, AIs, MLs, update software, etc.) has access to this information?
• Do any SSH, SSL, TLS or other certificates and keys need access to this information?

All unclear or edge cases should be flagged up when going through the risk assessment steps.

Risk Factoring

Risk assessment or analysis will be different depending on whether you are an individual or a business, and depending on your sector and overall reliance on data and online activity. These processes should be performed for each potential risk that requires a non-trivial amount of time or money to solve.

Risk assessment measures the probability of something bad occurring that results in a data breach on a scale of 1 to 5. Risk analysis measures the severity of the impact if a certain subset of data is breached or leaked on a scale of 1 to 5. The actual numbers will be specific to the individual or industry in question. But they are helpful in determining how much time and effort needs to be put into protecting this data.

Multiplying the assessment result with the analysis result gives you the overall risk factor for a particular scenario ranging from 1 to 25. This is the item’s overall risk factor. This is a good way to prioritize what needs to happen first, and what can be delayed until a more reasonable time. Eventually, automation for all updates and update testing should be developed. But the risk factor will allow you to tackle the worst problems first.

As systems get updated in priority order, their access control needs to be assessed. Only the people who absolutely need access to sensitive information should be allowed to access it. And only those with a deep understanding of how the systems work should be allowed to make edits. Everyone else should be locked out. This is true even in a personal situation when you’ve have taken on editors, collaborators, or helpers.

Still, there are situations that are practical on the business side which might mean giving contractors and relatively short-term employees access to sensitive account information. These Access Control Lists (ACLs) need to be weighed against how the company functions and the potential risk of leaks or power abuse.

The analysis for the risk of each proposed ACL should come up with one of four results:

Accept: You allow the risk because the benefits are high and you deem the business impact of a leak is low.

Reject: Rejecting the risk means that the potential impact is too massive to accept, transfer, or mitigate. The entire process will need to be reworked.

Transfer: You can insure against the risk, or hire a third party that will take on the partial or complete burden of the risk at a reasonable cost.

Mitigate: The process doesn’t need to be scrapped, but it should be partially reworked so that access to sensitive information is minimized, and oversight (including periodic testing, auditing, and spot checks) is increased.

Try to follow the Principle of Least Privilege which states: ‘A subject should only be given the privileges required for them (or it) to complete the task.’

Note that ‘it’ refers to programs, apps, APIs, automated processes, ML and AI projects, other pieces of hardware and firmware, and the like. These also need to be assessed for the level of access they have.

Once everything has been determined, editing the appropriate programs, systems, firewalls, monitors, and implementing the right encryption methods comes next. After the new setup is tested and implemented in the wild, you’re ready to move on to the next scenario on your priority list.

General Tips

Though this covers the core of tasks that will get your house in order, there are some additional things that you can do to dramatically decrease the chances of a data breach.

Password and Authentication Policy

This one is simple. If Two Factor Authentication (2FA) is available, use it. If it can be implemented as an option for external facing systems, do so. A huge number of phishing and social engineering techniques are neutered by 2FA. It isn’t perfect, since people can be fooled into sharing even that information without proper training (see below), but it certainly helps.

The passwords themselves should have a high minimum character count. This is proven even more effective than short passwords with numeric and special character requirements. And don’t set the character cap on any password fields too low. Using a long phrase with personal meaning trumps a short collection of random characters every time. A password such as: ‘Take a left onto Ocean Drive and park next to the beach.’ is infinitely more secure than ‘cl$ik94e1’.

A central password manager can give you the best of both worlds, as long as you trust them. That way, each user needs to remember just one password of sufficient length and complexity, and the system will provide massive, totally randomized passwords for all other systems that they need to access.

Default passwords on all devices and within all software, firmware, and apps need to be changed. As part of automated testing, every system and device should be checked to see if they’ve somehow reverted to default passwords. This can happen after an update, firmware flash, or rollback. There’s no reason not to check regularly.

Policy and Training

Policy is a complex thing and can vary from person to person and company to company. But in general, you want to establish and implement the following policy types (the contents of which you can often borrow from security firms and trusted open source projects):

• IT Security
• Physical Access And Secure Waste Disposal
• Log Management
• Backup And Recovery
• Incident Response
• Disaster Recovery And Business Continuity
• Privacy
• Data Governance
• Access Management
• Vendor And Third Party Access
• Bring Your Own Device
• Data Retention And Disposal

Finally, training shouldn’t be ignored. Teaching yourself and those who work with you how to avoid common Internet scams and social engineering attempts is worth a few hours of your life (and theirs)! Even the most simple course can help you to avoid disastrous intrusions upon your business and personal life.

Helpful Software and Apps

Software firewalls, even the ones provided with the OS (such as Windows Firewall) can do a lot of the heavy lifting if more expensive hardware options aren’t realistic.

Antivirus and anti-malware software need to be assessed for effectiveness and the trustworthy nature of the company or open source project that maintains the code. Never use software with known built-in backdoors, which is national policy in both China and Russia.

Finally, privacy software needs to go beyond the strict limitations of a VPN. A comprehensive app such as Hoody is your best bet here. Not only does it provide the IP address obfuscation and high levels of traffic encryption that a VPN would, but it completely isolates your browser tabs and web apps from the target server. This means that you can avoid device and browser fingerprinting, which is the biggest privacy threat of this decade, and something that VPNs can’t stop.

In Conclusion

Many people have already started down the path of data breach prevention. But stopping short of a total plan and comprehensive policy that is backed up by action can be even worse than doing nothing at all. Because it gives a false sense of security and encourages folks to let their guard down.

The real lesson in how to prevent a data breach is one of patience, time, and meticulous process. You won’t be fully secure overnight. And yes, you’ll likely have to change some habits and mindsets. But in the end, you’ll have adopted a level of automation that will leave you more secure than 99% of users and businesses out there.

Sticking to your policies and undergoing basic security education will do the rest. That last bit can’t be overstressed: Education is key. Social engineering causes a huge percentage of cybersecurity breaches that happen around the globe. Knowing how to detect scammers and what information should never be shared with others can go a long way toward securing your home and business networks.

The vast majority of preventing data breaches is doing the simple things well. Yes, there will always be complex hacks out there and zero-day exploits that you can’t do much about. But making yourself a hard target is the best way to convince hackers to look for easier prey elsewhere.