Big data can hold “incredible value” for people who work but the consequences of a data breach that exposes large amounts of information need to be understood, according to Telstra chief security specialist Scott McIntyre.
Speaking at the AusCERT security conference on the Gold Coast, McIntyre told delegates that there is “incredible value in having a lot of information available at your fingertips.”
Using big data means cyber security specialists can get “enriched results” and draw different conclusions, he said.
However, McIntyre had some harsh words for US retailer Target, where a security breach allowed hackers to access the personal information of some 78 million card holders.
He questioned why the US retailer needed to aggregate so much information about its customers.
McIntyre said that organisations that are working with large amounts of data for sales and marketing should ask themselves why they are storing a particular piece of information.
- AusCERT 2014: Awards, cellos and celebrations
- AusCERT 2014: 45-year-old Internet protocols need `re-programming', says Verizon VP
- AusCERT 2014: Security in a world of surveillance
McIntyre said that the rise of cloud has made the landscape more complicated information security specialists when it comes to avoiding data breaches.
“If you have a software-as-a-service [SaaS] offering there can be additional complications. How do you split out your data from somebody else’s data in one of those environments?" he said. "Not every SaaS provider thinks in advance that you need to have segregation of logs or even data itself."
"There will be load balancers and other ... devices which are shared because this is where the cost savings come in with SaaS," he said. "When you are doing [data breach] investigations and you have no idea what is in the data, this can be incredibly frustrating."
McIntyre said security pros need to have a conversation with their providers to make sure they know what the information the provider is holding and the format it is kept in.
“Be ready for the worst case scenario including cases where when you look at the design of a particular product. People end up putting a lot of sensitive information into free text fields; you can understand the frustration if you’re trying to count how many identities might be compromised and how many passwords. What do you look for if you don’t have clear [data] mapping?”
He added that knowing where the data was, who might have been able to access it and under what conditions is something security professionals must “get right” if they have to consider answering questions from regulatory bodies or privacy watchdogs.
McIntyre said that security professionals need to think about the financial or brand damage from a data breach.
“It [a data breach] could be the beginning of a much more complicated process. You need to have a plan to move forward. When you’re trying to explain to people what led to a data breach and what controls were in place and the people on the other side of the table don’t understand these factors, you’re going to have a really tough time.”
To avoid this, McIntyre suggested sitting down with executives or management and explaining how the IT security team handles sensitive information.
McIntyre cited the Ponemon Institute report from May 2014 which found that the average cost of a data breach to an Australian enterprise increased from A$2.16 million in 2011 to $2.72 million last year.
“If you have big data systems, start thinking about what it will cost you to deal with a big data breach. If it happened, what would it cost you to re-set credentials and potentially change something important about your customers or enterprise?
According to McIntyre, the Heartbleed bug was a “classic example” as many organisations had to go out and purchase new SSL certificates.
“What about people who have tokens and the PIN code for those tokens were intercepted due to the Heartbleed attack? That means you need to reset the PINs of all the people who have that token,” he said.
However, McIntyre said the worst thing that can happen to an organisation is that it “doesn’t learn” from the data breach.
“If a breach does happen, be aware of who your vendors are, understand who has access to your information and have a play back running for that particular environment.”
For example, Telstra has a data security schedule which is included in contracts.
“This allows us to work with providers and third parties. It sets out how we expect them to look after our data, these are the terms of incidence response and that we will want this information in a certain amount of time.”
According to McIntyre, this is a “legal instrument but it [also] gets people thinking.”
“For an organisation such as Telstra, the security and privacy around large aggregated data sets must be the driving concern. You need to do it with due diligence.”
Hamish Barwick attended the AusCERT conference as a guest of AusCERT