We are seeing an increase in the value of Personally Identifiable Information among hackers and threat actors through-out the world.
Where as previously prime data targets included Credit Card information and Health records, there is more evidence that suggests that the information being sought and stolen has expanded to include personal identifiers such as Social Security Numbers, Medicare Numbers, Mothers’ Maiden Names, Birth dates, employment history and even security/ response challenge questions.
In light of the expanded target information, organisations need to ensure that their multi-layered security approach is consistent with protecting the data and detecting any unauthorised access to the same.
Such targeted attacks require an organisation to implement effective policies and procedures in conjunction with preventative and detective security components and controls.
Locating and Identifying Critical data and information
Identifying the location of your critical data is the obvious first step in securing and protecting it. Without knowing where the data is stored and the fashion within which it is stored, an organisation is unable to implement controls and policies around such data.
Without this visibility the conversation can not proceed to protecting the data, segregating the network or addressing user access.
Let’s take a look at a number of controls that an organisation could put in place to mitigate risks associated with targeted PII theft.
Is your data encrypted at rest?
Sensitive data at rest should be encrypted. Although this is not always practical or possible organisations should seek to implement such controls. Encryption could be targeted at either the Database layer or the application layer. Talk to your Application Vendor to see what options they have available for the applications managing your sensitive data.
Through the use of ACLs through-out your network, Network Administrators can provide a level of segmentation to your database infrastructure. Databases holding your sensitive data should be placed in the most trusted network segments with direct connectivity restricted to other trusted networks or assets.
Restrict, Monitor and Audit User access
Access to the database servers and applications with access to the sensitive data should be provided on a Least privileged basis. Users with privileged access should be monitored and auditable by your organisation for both internal staff and third party vendors.
To further discuss any of the above options or your security posture in general feel free to get in touch with one of our Security Team.