2018-08-07
信用卡信息和社保号并非唯一需要保护的敏感信息。
如果你在医疗行业工作,你就会知道医疗信息有多重要。HIPPA法案就是一个提醒。如果你不在医院、诊所或保险公司工作,你很可能会认为医疗信息跟你没关系,但是物联网、人力资源和员工健康制度的不断发展意味着,你拥有的医疗数据很可能会比你认为的要多。(译者注:HIPPA,全称为Health Insurance Portability and Accountability Act,国内文献一般直接称为HIPAA法案,有的称为健康保险携带和责任法案。)
公司正在收集员工的各种数据(从减肥和戒烟、到DNA测试和锻炼模式等),在一些情况下,公司还会收集客户的数据。所有这些信息都可以帮助攻击者了解目标,以便向他们发送垃圾邮件或鱼叉式钓鱼邮件,或者利用他们的个人信息进行骚扰。
即使你的公司不受HIPPA法案约束,医疗信息也必须被视为非常敏感的信息,并且必须受到保护。
你浏览过哪些网站?如果有人知道答案,他们对你和你的兴趣点的了解会达到惊人的程度。这种信息非常私密又非常敏感。它的敏感性吸引着犯罪分子,因此需要进行保护。
个人电脑上的浏览历史记录是一方面,间谍软件也被用于执行数据收集工作,经常查找本地浏览历史记录。当企业使用追踪cookie作为其Web应用程序套件的一部分并将信息存储为客户数据时,那么该中央存储就会非常有价值——并且易受攻击。
你前世是17世纪欧洲的哪个贵族?哪种宠物适合你?当选的官员应该多做些什么来保护蟑螂吗?如今的网络充斥着各种调查,每一个调查都旨在为你提供有趣的信息,以便你在社交媒体上分享,每个调查都可以收集非常私人的信息。
公司根据个人信息为用户推送广告和营销活动。犯罪分子也可以利用这些信息向用户发送鱼叉式钓鱼邮件,垃圾邮件和虚假信息。一旦公司从调查(无论出于娱乐还是政治目的)中获得数据,就应将这些数据视为个人身份信息(PII),并采取相应的保护措施。
在现代互联网上,每个人都可以发表观点——而且似乎每个人都在这样做。一个人的观点可能偏激、粗暴、无知、富有洞察力,但它们可以帮助其他人了解这个人。而且,当这些信息用于影响该人的工作、财务或信誉时,它们就是非常敏感的。
信誉是企业IT安全部门很少谈及的因素之一,但在消费者/个人领域,信誉则非常重要,因为个人的信誉具有货币价值。如果公司收集并保存的数据可用于更改或损害信誉,就必须保护这些数据。
关于是否应该允许评论的辩论已经持续了很多年,不大可能很快消失。但是,如果你的企业允许用户发表评论,就应该保护用户的评论,防止它们被擦除、盗取,或与其他信息结合起来帮助犯罪分子执行损害。
员工在工作中表现如何?他们的工作时间?他们的特殊技能?在涉及个人时,诸如此类的详细信息(不包括社保号或银行账户信息)也属于敏感信息,应被视为关键PII。
当我们保护员工数据时,我们倾向于关注那些直接与银行账户或其他财务因素相关的部分。但是,公司可能有合理的需要来保留各类信息,而这些信息可能会被用来恐吓、勒索或骚扰员工,对员工造成极大的伤害,公司需要为此付出高昂的代价。
这些非财务性就职信息是个人信息的一部分。不仅如此,许多公司收集个人信息以帮助他们的员工渡过难关。如果因为粗心大意导致这些信息对员工造成伤害,那么这将是公司/员工关系中的一个巨大漏洞。
被盗的密码可以访问帐户。更改帐户密码后,就没有危险了,对吧?没那么快。
人类倾向于重复使用密码,因为这样更好记。这意味着,只要犯罪分子知道一个系统上的帐户密码,就有很大的几率知道多个系统上的密码。鉴于此,密码被盗不是一个简单的、能够通过密码重置快速解决的问题。当密码文件被盗时,可能会波及到许多网站和服务。
企业IT安全部门往往有些目光短浅,只关注事件对企业本身的影响。但是在IT安全中存在“群体免疫”;每个企业的安全实践往往会加强和扩大所有企业的安全性。做一个好公民——将密码文件视为对每个人都有影响的信息存储区。大家会很感激!
每个安全审查人员都知道敏感数据的奥秘之一就是:可以收集公开的非敏感数据,并以高度敏感的方式将其组合在一起。自大数据诞生以来,公司就越来越容易做到这一点了。
当你的公司收集数据并在其基础上形成大数据时,这些大数据应该像传统敏感数据一样受到保护。尽管一些专家认为大数据存储因其规模和复杂性而不会被盗,但是诸如拉撒路组织(Lazarus Group)这样的黑客团队已经表明,他们愿意“进入”网络并在数月或数年内缓慢地窃取大型数据存储。
当现代企业运行多种数据类型时,IT安全部门必须保护这些数据类型。IT专家不应该陷入这样的谬论——非财务数据不是敏感数据。如果放任这种观点,信誉、财务和合规性等都会受到伤害。
《7 Non-Financial Data Types to Secure》
4/14/2018
09:00 AM
Credit card and social security numbers aren't the only sensitive information that requires protection.
If you're part of the healthcare industry then you know how serious medical information is. HIPPA is there to remind you, in case you're apt to forget. If you're not working in a hospital, clinic, or insurance company then it can be easy to think that medical information isn't something that concerns you, but the growing alliance of IoT, HR, and employee wellness means that you may well have more health data in your records than you believe.
Companies are collecting data on everything from weight loss and smoking cessation to DNA tests and exercise patterns on their employees and, in some cases, on their customers. All of these are information types that can help build a complete picture of an individual, target the individual for spam or spear-phishing campaigns, or simply be used to harass people based on their personal information.
Even if your company isn't bound by HIPPA, health-based information must be considered exceptionally sensitive and must be protected as such.
Where have you been in your travels on the Web? If someone knows the answer, they know an amazing amount about you and your interests. That level of knowledge is both intensely private and very sensitive. And its sensitivity is part of what makes it both attractive to criminals and well worth protecting.
The browser history that lives on a personal computer is one thing, and we know that spyware often looks at local browser history as part of its data-gathering duties. When an organization uses tracking cookies as part of its Web application suite and stores the information as part of its customer data, then that central store becomes extremely valuable — and vulnerable.
What 17th Century European noble were you in a past life? Which pet is perfect for you? Should our elected officials be doing more to protect palmetto bugs? The Web is full of surveys today, each of which purports to give you fun information to share on social media, and each of which can collect incredibly personal information to do so.
Companies use the personal information to target users for ad and marketing campaigns. Criminals can use that same information to target individuals for spear-phishing, spam, and disinformation attacks. Once a company has data from a survey, whether the immediate point of the survey is entertainment or political action, it should treat that data as PII and take steps to protect it accordingly.
On the modern Internet, everyone can have an opinion — and it often seems like everyone does. Those opinions can seem loud, harsh, ignorant, insightful — but together they can help form a rich picture of an individual. And that rich picture can be sensitive when it could be used to target that person's work, finances, or reputation.
Reputation is one of those factors that enterprise IT security rarely talks about, but in the consumer/individual world it is incredibly important because an individual's reputation has a currency of its own. When data that a company collects and holds can be used to change or damage that reputation, then the data must be protected.
The debate on whether comments should be allowed at all has raged for years and is unlikely to go away any time soon. But if your organization allows users to make comments, then it should protect those users from having their comments scraped, stolen, and combined with other information to help criminals bring them to harm.
How has an employee been performing in their job? When are their hours? What are their special skills? Details like these, that don't tend to have social security numbers or bank account details attached, are still sensitive information when it comes to an individual and should still be considered critical PII.
When we protect employee data, we tend to focus on those pieces that connect directly to a bank account or other financial factor. But a company may have a legitimate need to keep all kinds of information that can be used to target the employee for intimidation, blackmail, or harassment — all things that can be enormously damaging to the individual and costly for the company to remediate.
These non-financial employment details are pieces that factor into the complex picture of an individual. More than that, though, many companies collect private information so they can help their employees go through difficult situations. It would be a huge breach in the company/employee relationship if that same information, through carelessness, were used to cause harm to the individual.
When a password is stolen, it can allow access to an account. When that password for the account is changed, the danger is over, right? Not so fast.
Humans tend to re-use passwords because, well, they're human. And that means that a criminal who knows the password for a user's account on one system has a better-than-even chance of knowing their passwords on multiple systems. Given this, a password breach is not a simple occurrence that can be quickly remedied with a forced password reset. When a password file is breached, the effects can ripple out across scores of sites and services.
Enterprise IT security tends to be somewhat myopic, focusing only on an event's impact on the business itself. But "herd immunity" is a real thing in IT security; Secure practices at each business tend to reinforce and amplify the security at all businesses. Be a good citizen — treat password files as stores of information that have an impact on everyone. Everyone will be grateful.
It's one of the mysteries of sensitive data that every security clearance holder knows: It's possible to take public, non-sensitive data, collect it, and put it together in a way that is highly sensitive. Since the dawn of Big Data, it's become easier and easier for companies to do just that.
When your company is gathering data and doing that Big Data voodoo on it, the results should be protected just as more traditionally sensitive data is shielded. Though some professionals like to pretend that Big Data stores are immune to theft because of their size and complexity, hacking teams such as the Lazarus Group have shown that they are willing to get into a network and slowly exfiltrate huge data stores over months or years.
When modern business runs on diverse data types, modern IT security must protect diverse data types. IT professionals shouldn't fall prey to the fallacy that data without dollars attached isn't sensitive: Reputations, finances, and regulatory compliance are among the things that can be damaged and suffer if data tunnel-vision is allowed to flourish.
附件:
《7 Non-Financial Data Types to Secure》--原文.pdf
《7 Non-Financial Data Types to Secure》--译文.pdf
微信公众号