A report released in the UK this week highlighted nicely the link between software security and data protection- a very hot topic this side of the pond in the midst of EU regulation reform and post-PRISM privacy concerns. The Information Commissioner’s Office (ICO), the UK’s independent regulatory office dealing with data protection and data privacy, released a report on the most common security weaknesses found during investigation of data breaches.
Those looking for tales of sophisticated cyber-attacks and industry buzz-phrases such as Advanced Persistent Threat will be disappointed. The ICO report shows that there are still too many businesses struggling with the basics, including failing to apply security updates to software, inadequate password storage and SQL injection. Organisations need to be responsible custodians of customer data to succeed and failure to adequately protect this due to ineffective IT security will leave you at risk of fines from regulatory bodies across the world.
Earlier this year the British Pregnancy Advice Service was fined by the ICO after the contact details of 10,000 people were exposed. The ICO found a number of security failings including the fact that they had neglected to carry out security testing and were therefore ignorant of website vulnerabilities. These vulnerabilities enabled an attacker to access personal data by requesting a call-back about having an abortion and threatened to post this online. Thinking for a moment about the potential personal impact on those individuals if their names had been published on the internet for inquiring about an abortion shows why the ICO took this incident so seriously, and how important data protection can be.
The ICO report features eight main areas which have led to data breaches and I will not be attempting to cover them all in this short blog post, but one area that naturally jumped out to me was that of SQL injection. The ICO points out that this method of attack is particularly relevant to data protection because it uses vulnerabilities in publicly-available websites to access a database- which is likely to contain personal information. As such, SQL injection carries a high risk of compromising significant amounts of personal data, and should therefore be a high priority for those concerned with data protection.
The ICO’s report provides clear, digestible advice for dealing with the prevention, detection and remediation of SQL injection. For externally developed applications this includes keeping software up to date; for internally developed applications the focus is on embedding security into the software development lifecycle through developer training and code review.
For both internally and externally developed applications the ICO also suggests that organisations consider automated vulnerability assessments and penetration testing.
Also featured in the ICO report are the serious security implications of failing to decommission software and services which are no longer being used and therefore not being properly maintained. The example given is that of an organisation which fails to properly take down a website which is connected to a back-end database that collects and processes personal data. Countless times with CA Veracode’s Discovery solution (which identifies all public-facing web applications through an automated scan) the difference between the number of applications an organisation thinks they have and the number that actually exist is huge. Identifying old applications that have not been properly decommissioned can be a quick win in reducing the attack surface, reducing risk of breaches and non-compliance to data protection regulations; whilst you saving money through cutting down on unnecessary hosting fees.
So the message off the back of this report from the ICO? Get the basic stuff right. In a world of increasing investment in IT security and a proliferation of competing solutions for IT teams to consider, my advice is that before looking at the newest and shiniest solutions which promise to solve world hunger, identify a scalable and cost effective way to eradicate well-known security weaknesses- like SQL injection- to significantly reduce the risk of a data breach.