10:30 AM
Jeff Schilling
Jeff Schilling
Connect Directly

Data Insecurity: Flawed Technology Or Outdated Business Process?

When it comes to protecting critical data, legacy processes are just as vulnerable as legacy software.

Are data breaches caused by flawed security or outdated business processes? If we want to truly shift the momentum in the cybersecurity fight, as an industry we need to drastically change how we conduct business and think about securing business processes first. Only then can we focus on the IT systems in which they reside.

To be clear, this is more than implementing a few processes. Getting to the crux of this global problem will require a top-down audit of how a specific business operates. From there, we will need to undertake a complete overhaul of each and every function. The reason: in many cases, when business processes were “automated” the process was not altered -- just transformed into digits.

A real-world problem

At a recent healthcare conference I attended, one insurance company compliance executive admitted that his organization found eight copies of their main patient record database in their enterprise environment. Even more shocking? Those were just the copies he knew about. And that’s likely what troubled him most.

To me, this sounds like a symptom of a flawed business process. At some point, a legacy procedure required this database to become stored in multiple locations — and likely in areas not properly protected. You can easily see how this situation could be replicated or identified in enterprises across the globe.

‘But that’s the way we’ve always done it’

The payment industry is an another good example of this problem. Using a credit card requires numerous legacy steps — from the point of purchase back to the point of sale. Each brings an array of complexity to transactions that remain based on the legacy methods used when paper-swipe machines were required.

From swiping your card to getting “approved,” there are about 16 steps. That’s an amazing number of potential attack vectors for threat actors to exploit. In today’s digital environment, a consumer should not be required to carry plastic cards — holding exploitable account numbers — to pay for goods and services at the point of sale. This technology has outlived its practicality in a modern, hyper-connected world.

A better idea

Staying with the payment theme, other economies have proven that evolving process can achieve security. In my opinion, countries in Africa have advanced their payment systems further than those in the Western hemisphere. A prime example is Kenya’s M-Pesa payment system, which is phone-based and simply requires texting an amount to the person you want to pay. The process is streamlined; no sensitive user data is required so there’s nothing to be compromised unless they lose control of their phone.   

It’s smart, simple, and actual proof that changing the process helped improve security. The technology (i.e., the phone itself) does not require any additional feature sets to be secure. The process secures itself.

So instead of getting out your pen to write a multimillion dollar check for the latest big data or artificial intelligence security tool, a smarter play may be to take a precursor step and re-assess your business processes and how they affect or hinder security. You may find you don’t need that complex security tool, but just sound segmentation and role-based access.

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief of operations and security. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of focus include cloud operations, client ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/7/2016 | 3:27:10 PM
Re: Lost and Found
Jeff, you are preaching to the choir on this one. We run our business on an IBM i5 server, which is using all these mainframe lessons. I use compiled RPG programs at the backend, not scripting languages like PHP. I don't request data from clients with SQL, so no exposure to SQL injection. No exposure to cross site scripting either. Access to server is thru the integrated Apache HTTP server, which does not even implement PUT or DELETE methods, only GET and POST. The Apache config only allows access to the program library with the compiled RPG programs, so you would need tremendous amount of inside knowledge to spoof a POST to invoke these. The programs are locked down to only work if invoked from a valid i5 user profile portal session. 6 wrong guesses and profile is disabled.

We both know any system designed to accessed CAN be accessed, so foolproof is impossible with enough inside knowledge. But if web apps hadn't moved away from these enterprise servers and compiled backend programs, we would not have the problems we have today. It was all about e-commerce on the cheap, convienence for users over security. Would the world really have been that bad if banks didn't connect their servers to the freaking internet? Or swiping a card thru a reader connected to a POS for approval connected without thinking thru the security behind it.
User Rank: Author
1/7/2016 | 3:05:34 PM
Re: Lost and Found

Thank you for your comments.  No process is fool proof, but the complexity of many business processes we use today are a root cause for data breaches because they create a large surface area of attack.  The main point of my article is that we need to examine our processes first for security, then put them on IT systems that are easier to secure. 

I agree that the older style of mainframe application development created more secure business processes because they were created for a single purpose and specified group of users.   With the advent of webapplications in the early 90's, as we took advantage of the ubiquity of the user interface.  However, we forgot to establish a security strategy to enforce role based access that was inheritly built into older mainframe applications.  
User Rank: Ninja
1/7/2016 | 1:00:37 PM
Lost and Found
"unless they lose their phone". I just shake my head at all these "advances" we make in paying for stuff. Where before losing your wallet, with cash and credits cards, was your risk, now we've moved that exposure to your phone. So besides losing cash/cards, they can also get all kinds of personal info along with it. What progress.

I guess you could argue you can at least PIN protect your phone access if lost, something not possible with wallet. But I find it hard to believe the bad guys can't get around that.

I dispute the "outdated" label on your example of multiple copies of files. I was taught development back in 80's on mainframes, it did not involve creating applications like that. This is spawned by using inexpensive servers running an o/s designed for single users in a web environment built on protocols never intended to be secure. If that is the legacy you are referring to, I'm with you on that.
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.