Posted In the FTC1
The Federal Trade Commission (FTC) recently issued a guide, Start with Security: A Guide for Business, which is
designed to provide businesses with guidance and steps to implement to protect
Personal Identifying Information. There are ten lessons listed below from
the guide that organizations could easily implement.
1.
Start with security
From
personal data on employment applications to network files with customers’
credit card numbers, sensitive information pervades every part of many
companies. Business executives often ask how to manage confidential
information. Experts agree on the key first step: Start with security. Factor
it into the decision making in every department of your business – personnel,
sales, accounting, information technology, etc. Collecting and maintaining
information “just because” is no longer a sound business strategy. Savvy
companies think through the implication of their data decisions. By making conscious
choices about the kind of information you collect, how long you keep it, and
who can access it, you can reduce the risk of a data compromise down the road.
Of course, all of those decisions will depend on the nature of your business.
Lessons from FTC cases illustrate the benefits of building security in from the
start by going lean and mean in your data collection, retention, and use
policies.
Here’s a
foundational principle to inform your initial decision-making: No one can steal
what you don’t have. When does your company ask people for sensitive
information? Perhaps when they’re registering online or setting up a new
account. When was the last time you looked at that process to make sure you
really need everything you ask for? That’s the lesson to learn from a number of
FTC cases. For example, the FTC’s complaint against RockYou
charged that the company collected lots of information during the site
registration process, including the user’s email address and email password. By
collecting email passwords – not something the business needed – and then
storing them in clear text, the FTC said the company created an unnecessary
risk to people’s email accounts. The business could have avoided that risk simply
by not collecting sensitive information in the first place.
Hold on to information only as long as you have a
legitimate business need
Sometimes
it’s necessary to collect personal data as part of a transaction. But once the
deal is done, it may be unwise to keep it. In the FTC’s BJ’s Wholesale
Club case, the company collected customers’ credit and debit card
information to process transactions in its retail stores. But according to the
complaint, it continued to store that data for up to 30 days – long after the
sale was complete. Not only did that violate bank rules, but by holding on to
the information without a legitimate business need, the FTC said BJ’s Wholesale
Club created an unreasonable risk. By exploiting other weaknesses in the
company’s security practices, hackers stole the account data and used it to
make counterfeit credit and debit cards. The business could have limited its
risk by securely disposing of the financial information once it no longer had a
legitimate need for it.
Don’t use personal information when it’s not necessary
You
wouldn’t juggle with a Ming vase. Nor should businesses use personal
information in contexts that create unnecessary risks. In the Accretive
case, the FTC alleged that the company used real people’s personal information
in employee training sessions, and then failed to remove the information from
employees’ computers after the sessions were over. Similarly, in foru
International, the FTC charged that the company gave access to
sensitive consumer data to service providers who were developing applications
for the company. In both cases, the risk could have been avoided by using
fictitious information for training or development purposes.
Once
you’ve decided you have a legitimate business need to hold on to sensitive
data, take reasonable steps to keep it secure. You’ll want to keep it from the
prying eyes of outsiders, of course, but what about your own employees? Not
everyone on your staff needs unrestricted access to your network and the
information stored on it. Put controls in place to make sure employees have
access only on a “need to know” basis. For your network, consider steps such as
separate user accounts to limit access to the places where personal data is
stored or to control who can use particular databases. For paper files,
external drives, disks, etc., an access control could be as simple as a locked
file cabinet. When thinking about how to control access to sensitive information
in your possession, consider these lessons from FTC cases.
Restrict access to sensitive data
If
employees don’t have to use personal information as part of their job, there’s
no need for them to have access to it. For example, in Goal Financial,
the FTC alleged that the company failed to restrict employee access to personal
information stored in paper files and on its network. As a result, a group of
employees transferred more than 7,000 consumer files containing sensitive
information to third parties without authorization. The company could have
prevented that misstep by implementing proper controls and ensuring that only
authorized employees with a business need had access to people’s personal
information.
Limit administrative access
Administrative
access, which allows a user to make system-wide changes to your system, should
be limited to the employees tasked to do that job. In its action against Twitter,
for example, the FTC alleged that the company granted almost all of its
employees administrative control over Twitter’s system, including the ability
to reset user account passwords, view users’ nonpublic tweets, and send tweets
on users’ behalf. According to the complaint, by providing administrative
access to just about everybody in-house, Twitter increased the risk that a
compromise of any of its employees’ credentials could result in a serious
breach. How could the company have reduced that risk? By ensuring that
employees’ access to the system’s administrative controls was tailored to their
job needs.
If you
have personal information stored on your network, strong authentication
procedures – including sensible password “hygiene” – can help ensure that only
authorized individuals can access the data. When developing your company’s
policies, here are tips to take from FTC cases.
Insist on complex and unique passwords
“Passwords”
like 121212 or qwerty aren’t much better than no passwords at all. That’s why
it’s wise to give some thought to the password standards you implement. In the Twitter
case, for example, the company let employees use common dictionary words as
administrative passwords, as well as passwords they were already using for
other accounts. According to the FTC, those lax practices left Twitter’s system
vulnerable to hackers who used password-guessing tools, or tried passwords
stolen from other services in the hope that Twitter employees used the same
password to access the company’s system. Twitter could have limited those risks
by implementing a more secure password system – for example, by requiring
employees to choose complex passwords and training them not to use the same or
similar passwords for both business and personal accounts.
Store passwords securely
Don’t
make it easy for interlopers to access passwords. In Guidance Software,
the FTC alleged that the company stored network user credentials in clear,
readable text that helped a hacker access customer credit card information on
the network. Similarly, in Reed Elsevier, the FTC charged that
the business allowed customers to store user credentials in a vulnerable format
in cookies on their computers. In Twitter, too, the FTC said the
company failed to establish policies that prohibited employees from storing
administrative passwords in plain text in personal email accounts. In each of
those cases, the risks could have been reduced if the companies had policies
and procedures in place to store credentials securely. Businesses also may want
to consider other protections – two-factor authentication, for example – that
can help protect against password compromises.
Guard against brute force attacks
Remember
that adage about an infinite number of monkeys at an infinitive number of
typewriters? Hackers use automated programs that perform a similar function.
These brute force attacks work by typing endless combinations of characters
until hackers luck into someone’s password. In the Lookout Services,
Twitter, and Reed Elsevier cases, the FTC alleged
that the businesses didn’t suspend or disable user credentials after a certain
number of unsuccessful login attempts. By not adequately restricting the number
of tries, the companies placed their networks at risk. Implementing a policy to
suspend or disable accounts after repeated login attempts would have helped to
eliminate that risk.
Protect against authentication bypass
Locking
the front door doesn’t offer much protection if the back door is left open. In Lookout
Services, the FTC charged that the company failed to adequately test
its web application for widely-known security flaws, including one called
“predictable resource location.” As a result, a hacker could easily predict
patterns and manipulate URLs to bypass the web app’s authentication screen and
gain unauthorized access to the company’s databases. The company could have
improved the security of its authentication mechanism by testing for common
vulnerabilities.
For many
companies, storing sensitive data is a business necessity. And even if you take
appropriate steps to secure your network, sometimes you have to send that data
elsewhere. Use strong cryptography to secure confidential material during
storage and transmission. The method will depend on the types of information
your business collects, how you collect it, and how you process it. Given the
nature of your business, some possibilities may include Transport Layer
Security/Secure Sockets Layer (TLS/SSL) encryption, data-at-rest encryption, or
an iterative cryptographic hash. But regardless of the method, it’s only as
good as the personnel who implement it. Make sure the people you designate to
do that job understand how your company uses sensitive data and have the
know-how to determine what’s appropriate for each situation. With that in mind,
here are a few lessons from FTC cases to consider when securing sensitive
information during storage and transmission.
Keep sensitive information secure throughout its
lifecycle
Data
doesn’t stay in one place. That’s why it’s important to consider security at
all stages, if transmitting information is a necessity for your business. In Superior
Mortgage Corporation, for example, the FTC alleged that the company
used SSL encryption to secure the transmission of sensitive personal
information between the customer’s web browser and the business’s website
server. But once the information reached the server, the company’s service
provider decrypted it and emailed it in clear, readable text to the company’s
headquarters and branch offices. That risk could have been prevented by
ensuring the data was secure throughout its lifecycle, and not just during the
initial transmission.
Use industry-tested and accepted methods
When
considering what technical standards to follow, keep in mind that experts
already may have developed effective standards that can apply to your business.
Savvy companies don’t start from scratch when it isn’t necessary. Instead, they
take advantage of that collected wisdom. The ValueClick case
illustrates that principle. According to the FTC, the company stored sensitive
customer information collected through its e-commerce sites in a database that
used a non-standard, proprietary form of encryption. Unlike widely-accepted
encryption algorithms that are extensively tested, the complaint charged that
ValueClick’s method used a simple alphabetic substitution system subject to
significant vulnerabilities. The company could have avoided those weaknesses by
using tried-and-true industry-tested and accepted methods for securing data.
Ensure proper configuration
Encryption
– even strong methods – won’t protect your users if you don’t configure it
properly. That’s one message businesses can take from the FTC’s actions against
Fandango and Credit Karma. In those cases, the FTC
alleged that the companies used SSL encryption in their mobile apps, but turned
off a critical process known as SSL certificate validation without implementing
other compensating security measures. That made the apps vulnerable to
man-in-the-middle attacks, which could allow hackers to decrypt sensitive
information the apps transmitted. Those risks could have been prevented if the
companies’ implementations of SSL had been properly configured.
5.
Segment your network and monitor who’s trying to get in and out.
When
designing your network, consider using tools like firewalls to segment your
network, thereby limiting access between computers on your network and between
your computers and the internet. Another useful safeguard: intrusion detection
and prevention tools to monitor your network for malicious activity. Here are
some lessons from FTC cases to consider when designing your network.
Segment your network
Not
every computer in your system needs to be able to communicate with every other
one. You can help protect particularly sensitive data by housing it in a
separate secure place on your network. That’s a lesson from the DSW
case. The FTC alleged that the company didn’t sufficiently limit computers from
one in-store network from connecting to computers on other in-store and
corporate networks. As a result, hackers could use one in-store network to
connect to, and access personal information on, other in-store and corporate networks.
The company could have reduced that risk by sufficiently segmenting its
network.
Monitor activity on your network
“Who’s
that knocking on my door?” That’s what an effective intrusion detection tool
asks when it detects unauthorized activity on your network. In the Dave
& Buster’s case, the FTC alleged that the company didn’t use an
intrusion detection system and didn’t monitor system logs for suspicious
activity. The FTC says something similar happened in Cardsystem Solutions.
The business didn’t use sufficient measures to detect unauthorized access to
its network. Hackers exploited weaknesses, installing programs on the company’s
network that collected stored sensitive data and sent it outside the network
every four days. In each of these cases, the businesses could have reduced the
risk of a data compromise or its breadth by using tools to monitor activity on
their networks.
Business
doesn’t just happen in the office. While a mobile workforce can increase
productivity, it also can pose new security challenges. If you give employees,
clients, or service providers remote access to your network, have you taken
steps to secure those access points? FTC cases suggest some factors to consider
when developing your remote access policies.
Ensure endpoint security
Just as
a chain is only as strong as its weakest link, your network security is only as
strong as the weakest security on a computer with remote access to it. That’s
the message of FTC cases in which companies failed to ensure that computers
with remote access to their networks had appropriate endpoint security. For
example, in Premier Capital Lending, the company allegedly
activated a remote login account for a business client to obtain consumer
reports, without first assessing the business’s security. When hackers accessed
the client’s system, they stole its remote login credentials and used them to
grab consumers’ personal information. According to the complaint in Settlement
One, the business allowed clients that didn’t have basic security
measures, like firewalls and updated antivirus software, to access consumer
reports through its online portal. And in Lifelock, the FTC
charged that the company failed to install antivirus programs on the computers
that employees used to remotely access its network. These businesses could have
reduced those risks by securing computers that had remote access to their
networks.
Put sensible access limits in place
Not
everyone who might occasionally need to get on your network should have an
allaccess, backstage pass. That’s why it’s wise to limit access to what’s
needed to get the job done. In the Dave & Buster’s case, for
example, the FTC charged that the company failed to adequately restrict
third-party access to its network. By exploiting security weaknesses in the
third-party company’s system, an intruder allegedly connected to the network
numerous times and intercepted personal information. What could the company
have done to reduce that risk? It could have placed limits on third-party
access to its network – for example, by restricting connections to specified IP
addresses or granting temporary, limited access.
So you
have a great new app or innovative software on the drawing board. Early in the
development process, think through how customers will likely use the product.
If they’ll be storing or sending sensitive information, is your product up to
the task of handling that data securely? Before going to market, consider the
lessons from FTC cases involving product development, design, testing, and
roll-out.
Train your engineers in secure coding
Have you
explained to your developers the need to keep security at the forefront? In
cases like MTS, HTC America, and TRENDnet,
the FTC alleged that the companies failed to train their employees in secure
coding practices. The upshot: questionable design decisions, including the
introduction of vulnerabilities into the software. For example, according to
the complaint in HTC America, the company failed to implement
readily available secure communications mechanisms in the logging applications
it pre-installed on its mobile devices. As a result, malicious third-party apps
could communicate with the logging applications, placing consumers’ text
messages, location data, and other sensitive information at risk. The company
could have reduced the risk of vulnerabilities like that by adequately training
its engineers in secure coding practices.
Follow platform guidelines for security
When it
comes to security, there may not be a need to reinvent the wheel. Sometimes the
wisest course is to listen to the experts. In actions against HTC America,
Fandango, and Credit Karma, the FTC alleged that
the companies failed to follow explicit platform guidelines about secure
development practices. For example, Fandango and Credit Karma turned off a
critical process known as SSL certificate validation in their mobile apps,
leaving the sensitive information consumers transmitted through those apps open
to interception through man-in-the-middle attacks. The companies could have
prevented this vulnerability by following the iOS and Android guidelines for
developers, which explicitly warn against turning off SSL certificate
validation.
Verify that privacy and security features work
If your
software offers a privacy or security feature, verify that the feature works as
advertised. In TRENDnet, for example, the FTC charged that the
company failed to test that an option to make a consumer’s camera feed private
would, in fact, restrict access to that feed. As a result, hundreds of
“private” camera feeds were publicly available. Similarly, in Snapchat,
the company advertised that messages would “disappear forever,” but the FTC
says it failed to ensure the accuracy of that claim. Among other things, the
app saved video files to a location outside of the app’s sandbox, making it
easy to recover the video files with common file browsing tools. The lesson for
other companies: When offering privacy and security features, ensure that your
product lives up to your advertising claims.
Test for common vulnerabilities
There is
no way to anticipate every threat, but some vulnerabilities are commonly known
and reasonably foreseeable. In more than a dozen FTC cases, businesses failed
to adequately assess their applications for well-known vulnerabilities. For
example, in the Guess? case, the FTC alleged that the business
failed to assess whether its web application was vulnerable to Structured Query
Language (SQL) injection attacks. As a result, hackers were able to use SQL
attacks to gain access to databases with consumers’ credit card information.
That’s a risk that could have been avoided by testing for commonly-known
vulnerabilities, like those identified by the Open Web Application Security Project
(OWASP) (link is external).
When it
comes to security, keep a watchful eye on your service providers – for example,
companies you hire to process personal information collected from customers or
to develop apps. Before hiring someone, be candid about your security
expectations. Take reasonable steps to select providers able to implement
appropriate security measures and monitor that they’re meeting your
requirements. FTC cases offer advice on what to consider when hiring and
overseeing service providers.
Put it in writing
Insist
that appropriate security standards are part of your contracts. In GMR
Transcription, for example, the FTC alleged that the company hired
service providers to transcribe sensitive audio files, but failed to require
the service provider to take reasonable security measures. As a result, the
files – many containing highly confidential health-related information – were
widely exposed on the internet. For starters, the business could have included
contract provisions that required service providers to adopt reasonable
security precautions – for example, encryption.
Verify compliance
Security
can’t be a “take our word for it” thing. Including security expectations in
contracts with service providers is an important first step, but it’s also
important to build oversight into the process. The Upromise case
illustrates that point. There, the company hired a service provider to develop
a browser toolbar. Upromise claimed that the toolbar, which collected
consumers’ browsing information to provide personalized offers, would use a
filter to “remove any personally identifiable information” before transmission.
But, according to the FTC, Upromise failed to verify that the service provider
had implemented the information collection program in a manner consistent with
Upromise’s privacy and security policies and the terms in the contract designed
to protect consumer information. As a result, the toolbar collected sensitive
personal information – including financial account numbers and security codes
from secure web pages – and transmitted it in clear text. How could the company
have reduced that risk? By asking questions and following up with the service
provider during the development process.
Securing
your software and networks isn’t a one-and-done deal. It’s an ongoing process
that requires you to keep your guard up. If you use third-party software on
your networks, or you include third-party software libraries in your
applications, apply updates as they’re issued. If you develop your own
software, how will people let you know if they spot a vulnerability, and how
will you make things right? FTC cases offer points to consider in thinking
through vulnerability management.
Update and patch third-party software
Outdated
software undermines security. The solution is to update it regularly and
implement third-party patches. In the TJX Companies case, for
example, the FTC alleged that the company didn’t update its anti-virus
software, increasing the risk that hackers could exploit known vulnerabilities
or overcome the business’s defenses. Depending on the complexity of your
network or software, you may need to prioritize patches by severity;
nonetheless, having a reasonable process in place to update and patch thirdparty
software is an important step to reducing the risk of a compromise.
Heed credible security warnings and move quickly to fix
them
When
vulnerabilities come to your attention, listen carefully and then get a move
on. In the HTC America case, the FTC charged that the company
didn’t have a process for receiving and addressing reports about security
vulnerabilities. HTC’s alleged delay in responding to warnings meant that the
vulnerabilities found their way onto even more devices across multiple
operating system versions. Sometimes, companies receive security alerts, but
they get lost in the shuffle. In Fandango, for example, the
company relied on its general customer service system to respond to warnings
about security risks. According to the complaint, when a researcher contacted
the business about a vulnerability, the system incorrectly categorized the
report as a password reset request, sent an automated response, and marked the
message as “resolved” without flagging it for further review. As a result,
Fandango didn’t learn about the vulnerability until FTC staff contacted the
company. The lesson for other businesses? Have an effective process in place to
receive and address security vulnerability reports. Consider a clearly
publicized and effective channel (for example, a dedicated email address like
security(@)yourcompany.com) for receiving reports and flagging them for your
security staff.
Network
security is a critical consideration, but many of the same lessons apply to
paperwork and physical media like hard drives, laptops, flash drives, and
disks. FTC cases offer some things to consider when evaluating physical
security at your business.
Securely store sensitive files
If it’s
necessary to retain important paperwork, take steps to keep it secure. In the Gregory
Navone case, the FTC alleged that the defendant maintained sensitive
consumer information, collected by his former businesses, in boxes in his
garage. In Lifelock, the complaint charged that the company left
faxed documents that included consumers’ personal information in an open and
easily accessible area. In each case, the business could have reduced the risk
to their customers by implementing policies to store documents securely.
Protect devices that process personal information
Securing
information stored on your network won’t protect your customers if the data has
already been stolen through the device that collects it. In the 2007 Dollar
Tree investigation, FTC staff said that the business’s PIN entry
devices were vulnerable to tampering and theft. As a result, unauthorized
persons could capture consumer’s payment card data, including the magnetic
stripe data and PIN, through an attack known as “PED skimming.” Given the
novelty of this type of attack at the time, and a number of other factors,
staff closed the investigation. However, attacks targeting point-of-sale
devices are now common and well-known, and businesses should take reasonable steps
to protect such devices from compromise.
Keep safety standards in place when data is en route
Savvy
businesses understand the importance of securing sensitive information when
it’s outside the office. In Accretive, for example, the FTC
alleged that an employee left a laptop containing more than 600 files, with 20
million pieces of information related to 23,000 patients, in the locked
passenger compartment of a car, which was then stolen. The CBR Systems
case concerned alleged unencrypted backup tapes, a laptop, and an external hard
drive – all of which contained sensitive information – that were lifted from an
employee’s car. In each case, the business could have reduced the risk to
consumers’ personal information by implementing reasonable security policies
when data is en route. For example, when sending files, drives, disks, etc.,
use a mailing method that lets you track where the package is. Limit the
instances when employees need to be out and about with sensitive data in their
possession. But when there’s a legitimate business need to travel with
confidential information, employees should keep it out of sight and under lock
and key whenever possible.
Dispose of sensitive data securely
Paperwork or equipment
you no longer need may look like trash, but it’s treasure to identity thieves
if it includes personal information about consumers or employees. For example,
according to the FTC complaints in Rite Aid and CVS
Caremark, the companies tossed sensitive personal information – like
prescriptions – in dumpsters. In Goal Financial, the FTC alleged
that an employee sold surplus hard drives that contained the sensitive personal
information of approximately 34,000 customers in clear text. The companies
could have prevented the risk to consumers’ personal information by shredding,
burning, or pulverizing documents to make them unreadable and by using
available technology to wipe devices that aren’t in use.1 https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business
No comments:
Post a Comment