Tactical Advice

4 Strategies for Preventing a Data Breach

Follow these tips to maintain control of mission-critical information.
4 Strategies for Preventing a Data Breach

An organization’s sensitive and mission-critical information hangs in the balance every day. Security breaches can happen on mobile devices, such as smartphones or notebooks; on USB drives or CD-ROMs; riding as an attachment to an e-mail message; or via a misconfigured web server. To prevent data breaches, organizations much take a 360-degree look at how sensitive data is stored, retrieved and — most important — controlled. When IT managers look at the network part of the puzzle, they should consider these tips to help contain breaches:

1. Re-evaluate outbound network firewall policies.

Firewalls shouldn’t have an “outgoing allow any” policy, but that’s how many of them end up being configured, especially after years of adjusting, tweaking and dealing with web applications running on nonstandard ports. Services such as Simple Message Transfer Protocol and Domain Name System, for example, should be blocked outbound from sensitive networks or redirected to official organizational SMTP and DNS servers. There’s no reason for any device to talk directly to the Internet using those protocols, other than specific systems with the roles of mail server and DNS server.

Networks that have proxy servers should certainly block outbound HTTP and HTTPS, except from the proxy servers.

2. Trigger alerts for some types of prohibited network behavior.

Alerting IT staff on every firewall rule violation could cripple a help desk, but a few especially significant misbehaviors can be early warning signs of a breach. Let’s say that outbound SMTP traffic from users is blocked, but now a PC on the network is trying to send SMTP directly to the Internet. Wouldn’t you want to know about it? Users trying to do SMTP, Secure Shell and File Transfer Protocol (outbound) are good choices to monitor.

When it comes to URL filtering, an alert for every blocked site would be a waste of time, but investigating blocked malware and known hacking destinations is often fruitful. A programmer or network manager storing text on Pastebin.com is normal, but if it’s someone in the human resources or finance department, they may have an infected PC — or be up to no good.

3. Segment the network.

Firewalls are not the bandwidth-blocking, budget-busting products of yesteryear. Today’s firewalls are cost-effective devices that can safely segment organizational networks without causing performance problems. Using firewalls to segment networks provides both control and visibility that can block internal users from browsing parts of the network that should be off-limits.

Most attackers try to leverage weak points in organizational networks, using tools such as phishing attacks. Blocking compromised PCs — or hostile internal users — from wandering around the network looking for poorly protected data is easy when the network is segmented using internal firewalls.

An easy way to identify potential locations for network barriers is by looking at an organizational chart. Networks should be segmented much the same as organizations are segmented, under different executives or departments. Finance and administration shouldn’t mix unimpeded with marketing or e-commerce applications. Research and development or engineering tasks should be separated from education and applications.

4. Worry about web applications.

Poorly written and inadequately secured web applications are the path of least resistance for anyone looking to crack into organizational networks from the outside. Application programmers and application managers, whether in-house, outsourced or from a third-party software house, are the weakest security link in most organizations. Tools such as intrusion prevention systems and web application firewalls aren’t magic bullets that can solve the accumulated problems of decades of bad design, but they help reduce risk.

Heavy-duty intrusion prevention systems require a significant continuing investment, keeping devices tuned and managing alerts. Organizations with high breach potential should already have IPS technology in place. For areas of the network with less sensitive data, simply turning on the built-in IPS that comes with all unified threat management firewalls is a cost-effective and risk-reducing alternative.

Sign up for our e-newsletter

About the Author

Joel Snyder

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

Security

Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.