28 May 2012

Will the new EU privacy legislation secure Europe's digital economy?

by Paul Kenyon - COO of Avecto - Monday, 28 May 2012.

At the start of 2012, the European Commission announced it is to undertake a comprehensive review of the EU’s 1995 data protection rules. Its aim is to strengthen online privacy rights in a bid to boost Europe’s digital economy. Whether the latter will be achieved remains to be seen but, regardless of what it eventually decrees, increased privacy rights will be a given. While we wait for the official changes to be announced, organizations must act now and introduce 21st century data protection.

The legislation itself

As you’d expect, the EU’s 1995 data protection rules govern how personal data is collected, what it is used for and dictates that organizations have an obligation to protect it from misuse.

The key changes to the reform that will make organizations sit up and take notice are:
  • Serious data breaches will have to be notified as soon as possible (if feasible within 24 hours)
  • Penalties will be increased. For example, in the UK at present, the ICO can penalize organizations up to £500K. Under the revised legislation this would increase to €1 million or up to 2% of the global annual turnover of a company.
Why is it being reformed?

The rulings date back to 1995 when the internet was virtually unheard of by many. While this technological advancement has revolutionized the way many businesses operate – in fact some wouldn’t even exist without it, it has also introduced a number of challenges.

For instance an organization’s perimeter is no longer restricted to physical or even geographical boundaries. While good for trade in allowing practically any business to operate internationally, it can also allow hackers in to, and facilitate the easy transfer of corporate data out of, the safe confines of the network.

Unlike the physically connected desktops of 1995, today data can be transmitted wirelessly between a myriad of devices – Laptops, Smartphones, Tablets, USB sticks and the list goes on. The challenge for organizations is to prevent this multitude of endpoints facilitating data seepage.

Security from the outside

Unfortunately, short of locking data away and never allowing anyone to access it, there is no one thing that can be done to minimize the risk of data breaches. Equally true, doing nothing is unacceptable and leaves the enterprise exposed to risk.

Organizations need to mesh together appropriate procedures and policies to wrap the network in a security blanket that controls how data is accessed and what can be done with it.

The use of domains introduces control for specified groups of users and/or servers through a central security database. Once authenticated to a central server (or domain controller) users’ access to specific services, applications and directories can be restricted according to their job function or security clearance.

 Taking this further, introducing GPO (Group Policy Object) organizations can define what a system will look like and how it will behave for specific user groups. For example, you can define registry-based policies, security options, software installation and maintenance options, and even folder redirection. In this way, GPO can be used to deploy anti-virus solutions, making sure every workstation in a certain domain is running the program and ensuring each is regularly updated and patched.

A typical barrier organizations encounter, especially when locking down workstations, is an increase in calls to the help desk from users trying to do something that they’re not ‘authorized’ to do. Depending on the controls introduced, this could be accessing a particular directory, installing a printer driver, or even allowing a piece of software to run. In an effort to circumvent this, UAC (User Access Control) was introduced, and is arguably still one of the most controversial technologies.

UAC allows users with local admin rights to authorize applications to run – more often than not with the user unaware of the security implications this can have. On the other hand, if the user is not given admin rights, he is prompted by UAC and has to call the help desk every time he wishes to run an application. In an effort to limit these prompts, a UAC slider was introduced in Windows 7 which effectively allowed users with admin rights to turn off UAC – leaving organizations vulnerable to the devastation that can go on in the background undetected.

A defense-in-depth approach is another practice few employ but is exceptionally effective when it comes to increasing security and ultimately data protection by removing means of attack. It refers to installing a layered security approach – such as anti-virus software, anti-spyware protection, combined with routine patching and maintenance of existing solutions plus disabling applications and software that isn’t needed.


Soft interior

While each of the practices listed above will ensure a good strong enterprise, the one vulnerability that can’t be prohibited is the users. All too often it is the humans that introduce vulnerabilities.

We touched on this briefly when looking at UAC, but it is the routine practice of allowing users admin rights that can destroy an organizations security position. For example, once logged in as an administrator and with a little technical knowledge, a user can override controls, ignore patch requests or even switch off applications - such as anti-spyware protection, install unlicensed programs, access restricted directories, change settings, etc.

 Key risks include the following:
  • Many malware writers have designed programs to actively seek admin accounts. As an administrator has full control over the system, so too will the malicious software as it will not need to find a security flaw to gain privileged access to the system. Malware can use this privileged status to install drivers, intercept logon passwords, create user accounts, install root kits, replace system files and disable security software. In fact many viruses fail to infect a computer where a user has standard rights, and there is strong evidence that running users with minimal rights greatly reduces the risk of virus infection.
  • A user with excessive privileges can either deliberately or accidentally cause system configuration problems, resulting in downtime and increased desktop support.
  • Users with administrator rights are also free to install programs, which leads to unlicensed software installed on corporate systems and system stability problems.
By implementing a least privilege, and therefore least risk, strategy on top of all other security measures overall security is strengthened even further (like an umbrella covering everything else). While we wait to see the finer details of the reform one thing is a given - the more an organization does to secure their data and comply with legislation, the less likely they are to fall victim and the lower the fine if they do suffer a breach.

http://www.net-security.org/article.php?id=1718&p=1