Comment: Protecting Customer Data from Online Vulnerabilities

Photo credit: Tupungato/
Photo credit: Tupungato/
Wieland Alge, Barracuda Networks
Wieland Alge, Barracuda Networks

The severe ramifications for Barclays Bank, following the theft of thousands of customer files, has forced the issue of how organizations protect confidential data high up the agenda for both businesses and consumers. Trust is the cornerstone of all relationships, so if it becomes compromised, customers waste no time moving on to a brand they perceive as more deserving of their time and money. This being the case, data security executives the world over, responsible for protecting customers personal information, are facing increasing pressure to prove that they have the plans and processes in place to ensure that their employer is not next to have its data security vulnerabilities exposed.

Indeed, in today’s multi-faceted virtual world, system failure is just the tip of the iceberg for technology leaders whose data strategies must now also incorporate protection against risk from the ever-moving feast that is cybercrime. With tactics ranging from pop-up adverts and spyware to capture web browsing habits, to the insertion trojans or use of cleverly crafted queries designed to steal passwords and log-in information, there is risk associated with every online touch point.

Three Key Vulnerabilities

To protect against these attacks, organizations must give due diligence to the three key vulnerable channels that hackers can compromise online:

People – the potentially dangerous people with whom users interact.

The Barclays security breach highlights the vulnerability posed by people, with the now infamous delivery to a national newspaper of a memory stick containing personal details of 2000 customers.

Places – the potentially dangerous destinations or URLs where users visit.

The number of phishing campaigns worldwide increased by more than 20% in the third quarter of 2013, with crimeware (malware designed specifically to automate cybercrime attacks) evolving and proliferating, according to the Anti-Phishing Working Group (APWG).

Things – the potentially dangerous objects/applications with which the user interacts.

Every day, more than 100,000 websites run with the singular goal of spreading crimeware that can cripple the effectiveness of information security efforts.

As evidenced by the Barclays fiasco, many firms might think they have done enough to counter the risk posed by online crime, but in reality most organizations are not doing enough to keep data safe. Clear too, judging from the volume and severity of online crime, criminals know where vulnerabilities exist and have altered their strategies to bypass traditional security measures. The fact is, in today’s sophisticated technology landscape, security needs to be intelligent, scalable, and always on high alert wherever end-users happen to be.

The rise of phishing in recent years is a pertinent example of a form of cybercrime that indiscriminately attacks businesses of all sizes, wreaking havoc on reputations and destroying livelihoods. A common form of phishing involves using email addresses stolen from specific databases via SQL injection to launch targeted spear-phishing attacks against email users. General phishing attacks target a wide variety of people, typically flooding thousands of inboxes; however, spear phishing targets specific people or organizations. To mitigate against this, protecting your databases using properly configured web application firewalls (WAFs) is a no-brainer.

The Rules

There are two basic rules, of equal importance, that organizations need to keep front of mind when developing, implementing and managing data strategy:

Rule #1 for protecting your customers: Never lose their identity – ensure clear accountability for protecting individuals’ privacy at all times.

Rule #1 for employees: Educate them to not put business-related information at risk – continually consider and address privacy concerns.

An approach built on these two rules is the only way to stop malware, spyware, viruses, malicious content, and other threats to prevent hacking attacks.

Taking spear phishing as an example, the attacker will research personal information about the individuals in order to make their messages sound more convincing. The availability of personal information via social media has made this process a lot easier for cybercriminals, stressing the importance of ‘The Rules’ at all times for employees and customers alike.

Future Proofing

Anticipated or not, there will always be new and bigger threats to deal with. As technology and devices become more deeply embedded in our lives, the volume of vulnerable data will keep growing and the threats to that data will continue morphing.

A startling indication of the future scale of data security risk came recently in the form of an attack that exploited a key vulnerability in the infrastructure of the internet itself. Hosting and security firm Cloudflare said it recorded the "biggest ever" attack of its kind in February this year when hackers took advantage of a weaknesses in the Network Time Protocol (NTP) to flood servers with vast amounts of data. That same technique could potentially be used to force popular services offline.

Unfortunately, despite the NTP being one of several protocols used within the infrastructure of the internet to keep things running smoothly, it was designed and implemented at a time when the prospect of malicious activity was not considered. And there will be many other pieces of software or process so deeply entrenched in the way organizations work that unexpected risks will continue to emerge.

The fact is, above all else, the best organizations can do to protect their data is to stringently adhere to ‘The Rules’ – making sure that they, and their employees, always have data security front of mind in every process and interaction.

Dr. Wieland Alge is VP and general manager EMEA for Barracuda Networks and is responsible for the company’s business in the region. Before this he was CEO and co-founder of phion AG, which merged 2009 with Barracuda Networks. With many years of experience in the planning and deployment of international security projects, Alge has also a profound knowledge of the user’s and administrator’s perspective on security.

After attaining the PhD of Science, Alge was lecturer and Scientific Assistant at the Institute for Theoretical Physics at the University Innsbruck. In 2008, he won the recognition 'Entrepreneur of the Year' from Ernst & Young.

What’s hot on Infosecurity Magazine?