GovDefenders Wednesdays | Reduce Your CyberPain: Restrict Data Access to Those with a Need to Know

We created an infographic to help you explain your cyberpain: The Reality of Cyberpain.  Check it out!


Over the past few months our “situational awareness” with respect to cybersecurity has been enhanced by events including attacks on the New York Times, Twitter, and Facebook; the release of compelling evidence that much of our “CyberPain” can be traced to foreign, state-sponsored organizations; and the President’s timely Executive Order for Critical Infrastructure Cybersecurity.

Have we reached a tipping point? Is our collective level of concern now sufficient to give us the will to adopt the behaviors, install and utilize the defenses, and exercise the personal and organizational vigilance that will allow us to use the Internet as it was meant to be used? Unfortunately, I doubt it. We are only as strong as our weakest link, and that weak link is most often the individual who is uninformed, untrained, distracted, terminally careless, or malicious. A single click on a phishing email link may download malware that encrypts unprotected data on the network. A casual approach to password compartmentalization may provide a Twitter data thief with the key to our bank account. A relaxed approach to patch management by an overworked IT department can put the organization’s cyber defenses at risk of compromise by faster-acting criminals or cyber spies.

For most agencies, as well as, companies in the knowledge economy, their data is their most important asset. A bad actor may gain access to your network and the systems on the network, but if the data itself is well protected, the incident is unlikely to result in an expensive or damaging loss of critical data assets. The security community is in broad agreement that a “layered defense” is the best approach to protecting critical, sensitive data. As shown in the simple graphic below, a layered defense is orchestrated with policies and procedures appropriate to the organization, and is composed of separate, coordinated security systems that protect each layer of the IT infrastructure, and ultimately the data.

Cybersecurity Graph

Graphic 1- Source: Microsoft Technet

The first step in defending the data is to classify the organization’s data so that sensitive data can be properly managed. There is no need to protect publicly available data with the same resources that are used to protect working papers in a high profile competitive procurement evaluation, for example. This step in the process is often the most time consuming as a thorough inventory is absolutely essential, and legacy systems or private data caches can complicate the process. Best practices for this process call for a three- or four-tiered scheme with data separated into categories based on the impact of exposure of the data

In conjunction with the discovery and classification process, a matrix should be prepared that explicitly allocates the read-write-edit permissions for the organization’s personnel. The rationale for permissions should be well defined by function and name so that the matrix can be updated when reorganizations occur or personnel are added or terminated. Finally, a periodic evaluation and classification must be in place to address new data as it is introduced into the evolving enterprise, and as obsolescent systems are retired.

The application of specific data loss prevention defenses is beyond the scope of this blog. However, the graphic below illustrates the basic steps that should be addressed and tailored to your environment. The security professionals at DLT Solutions can help you through this process, and reduce your CyberPain. Give us a call.

Data_Security_Lifecycle

Graphic 2 - Source: Cloud Security Alliance