I couldn’t let this week go by without making at least one mention of what is taking place this weekend. This annual event held every year since the year I was born brings most of the United States to a mesmerized halt on the first Sunday in February…and this year I’ll be more mesmerized than I have been the past few years.
Yes, the event is the Super Bowl and yes, my beloved, dynastic, New England Patriots are -- for the fifth time in the last 11 years -- representing the American Football Conference (AFC) in “The Big Game.”
Now if you ask me who I think will win, I’ll tell you that dating back to mid-season 2001 I have believed the Patriots could or should win every game they’ve played. That doesn’t mean that I think there aren’t things they could do better. This year especially, I think there are things that they could do to improve their defense…but then again, what organization couldn’t stand to shore up its defense, particularly in this day and age when hackers continue to take aim at sensitive data.
Matthew Schwartz at InformationWeek thinks there are nine ways companies can improve their defense and minimize the impact – or better yet, the risk – of a data breach. His thoughts include:
- Put a good information security program in place
- Enforce strong passwords
- Hide breaches at your peril
- Gauge breach-notification speed carefully
- Expect data to be breached
- Encrypt all sensitive data
- Expire your own data
- Beware social engineering
- Demand data discovery services.
These nine steps can be broken down into three categories:
- Security measures, including encryption, security software and making employees aware of how to detect a phishing attack or potential Trojan Horse;
- Damage control, such as don’t hide that a breach has occurred and prepare how to react if breached; and
- Minimizing opportunity by ensuring the available block of data is too small to be worth targeting, thereby not making it worth the hacker’s efforts to breach the system.
All of these areas are sound means to address potential breaches and seem reminiscent of defensive strategies in football. Much like stopping a play at or just after the line of scrimmage, having security software in place and using encryption will help detect and forestall hackers. Should that line of defense fail, having damage control measures in place will certainly minimize the long-term effects of the breach much like a tackle made by the defensive secondary many yards downfield. Of course, the strategy of ball control in football is on par with minimizing opportunity; if there’s nothing there worth gaining in a breach, hackers likely will not do anything with what they get and will not likely to try again.
But while Schwartz does cover nine sound ways to minimize the damage of a data breach, he leaves out perhaps the tenth and most important line of defense – the “sacking of the quarterback on fourth-and-ten” – keeping out the intruders.
Stuffing the Run
Everything Schwartz discusses assumes that, if a hacker gets into a system, damage will be done and files will be stolen. But if there is no vulnerability to breach, then there is no way for an intruder to infiltrate the system.
With so many of the breaches that took place in 2011, we saw at their root some form of software vulnerability. Some of these vulnerabilities were latent issues in legacy code. Some of the issues evolved due to code that was poorly written. All were preventable -- had the companies writing the code performed structural analysis of their applications during every stage of the build process.
Software issues need to be dealt with before they become a problem, not after hundreds of thousands of sensitive data files are stolen and customers’ personal data is exposed. By ensuring sound structural quality out of the gate through a process of automated application software assessment during the build process, companies can identify vulnerabilities and form an impenetrable defense that will not allow the hackers to score.