One of the most well-known proverbs that “Security is only as good as its weakest link”, is extremely popular among IT circles. But surprisingly most data security systems actually tend to fail because of the weakest link and in most cases the weakest link is not even evident. This is best explained with instances from the field of encryption. Let’s assume the finest encryption algorithm available with the largest possible length of a key. Assuming that it is incredibly secure, was the same level of expertise used when the encryption key was chosen? If the encryption key was password-based, for instance, it is likely to be based on a tiny amount of bits and further expanded into a large key size by the software. Surprisingly, it is far weaker than imagined since it is still dependent on the tiny amount of bits. Then the question arises of how that key can be communicated to the other side. More often than not, the weakest link is the form of communication. How the key is communicated to the other party and how the other party chooses to use it after receiving it is unknown; therein lays the weakness. Even if a messenger carrying the key to the other party is securely transmitted without any breaches, typical problems in managing such a system can cause it to become acutely weak. In addition, if the key is used more than once, it would empower a third party to interrupt and read the communications effortlessly with the help of elementary cryptologic techniques. Thus, it is seen that the weakest link is often irrelevant to the integral part of the solution that is considered to be robust or impregnable.
Opting for a proprietary solution over industry standards may sometimes offer a tiny bit of advantage to an organisation given its “security by ambiguity”. But it is considered dangerous to use techniques or systems that have not been widely analysed or studied by experts. For instance, encryption is a fine example. By making use of industry standards, an encryption methodology such as AES means that a wide number of IT experts have analysed the algorithm and have not discovered serious flaws. And even if such flaws were discovered, they would be published. When the first generation Wi-Fi encryption was released (WEP), this method was instantly shown to have grave vulnerabilities. Since WEP was an established standard, the word got out quickly and WEP was immediately substituted by stronger technologies. As an organisation, it is important that they are wary of vendors who have not yet disclosed their algorithm and yet make substantial claims to the strength of their patented technology without expert backup.
If the security has to be highly effective, the problem needs to be clearly defined. An organisation might find itself with a good data security solution that does not address the real problems. For instance, the firewall. While a firewall is considered to be an excellent solution for specific problems, if there is a database that is running behind a firewall, the firewall does not prevent application level attacks such as SQL shots. These are considered to be extremely frequent and highly dangerous attacks, and since most firewalls do not address such attacks, there is a need for a specific and a dedicated solution to block the assault.
Relying on human factors can sometimes lead to hazardous results. If the end user is relied upon to make decisions and is not equipped enough or knowledgeable about the technology, he/she can be a serious breach to security. A couple of examples can help in clarifying this factor. For example if a novice user is asked by the firewall “Do you want to run Microsoft MAPI protocol?” It is unclear how the user should respond– if the response is no, a critical service gets blocked, and if the response is yes, the system is made more accessible for breaches.
Another serious issue that is extremely common is one of phishing frauds and rackets. These phishing scams are the hardest to defend against, because if an individual is misled into entering his/her password for an important financial transaction or into a fake form on an identical-appearing dubious site, it becomes a ripe candidate for identity theft. Phishing scams become difficult to prevent because it all boils down to the human factor. A financial institution might have no knowledge or control of such a scam being committed in its name and even if an individual only has his/her password for authentication; it can lead to dire consequences. Even if two-factor authentication is applied on the financial institution’s website, the individual might still have given important data such as a Social Security number to a hacker.
In some cases it is seen that data security breaches are specifically intended to obtain personal information from consumers, but the reality is that the attackers usually transfer confidential, propriety and classified data present on private sector files– research and technology including intellectual property and specific details about finance—to be later bartered or sold to rival companies, or used in bargaining, disclosed to the media, or even for blackmail.
It is important for security to be usable in order to be effective. The most extreme and best form of security is to cut off all kinds of online connectivity; however this is definitely an unworkable and not recommended solution.
Hence, today, there is a rise in IT security expenditure, which is not just a reaction to the growing frequency of data breaches endured by large organisations, but a necessary element given the augmenting work collaboration between users and shareholders in today’s corporate landscape. According to a research paper, approximately 22% data security accounted for the second largest portion of the IT security technology budget in 2014, after network security. More than 40% of organisations plan to enhance their IT security spending, specifically on data security in 2015.
At the end of the day, data security is elusive and is constantly changing to adapt to the ever-evolving dynamics of the field. But it is important to keep the above principles in mind when undertaking data security decisions. It is important for an organisation to define its data security problem lucidly, reveal the weakest links, accommodate well-known industry standards, downplay public involvement and keep it simple and easy for users to follow.