Old and unattended systems are easy prey for hacker

Nearly 800,000. It is the amount of data of various systems and service users leaked in just a week. I would hazard a guess that this is just the tip of the iceberg, and we will hear about stolen personal data more than once. The only way to prevent malicious intent and properly store customer data entrusted to companies is to answer the following question: “Is the system intended to protect personal data and other sensitive information really suitable for this purpose?”

Many companies use legacy systems, that is systems, which were developed a few years ago but are already technologically obsolete. They need to be upgraded immediately for a number of reasons: technologies become obsolete, installation of necessary updates to operating systems or security and libraries in use is forgotten, and finally, over time, the system becomes no longer meeting the current security and reliability standards and the Law on Protection of Personal Data. To make such systems suitable for further use, they should be rearranged by upgrading some system components or reprogramming the entire system code. Also, and the potential and benefits of the public cloud could be assessed.

Systems developed before the GDPR often fail to meet the GDPR requirements

Personal data are often called “the new gold” as losing them can lead to painful consequences. Proper data management, even in the event of a data leak, allows reducing the potential harm to both users and the organisation possessing the data. One of the biggest mistakes in the processing of personal data is the application of normal data processing procedures and principles. The Law on Protection of Personal Data (GDPR) is aimed to prevent this mistake.

After the GDPR entered into force in 2016, companies collecting personal data must ensure their proper protection, not disclose such data to third parties and use personal data only for the purposes permitted by the person. All personal data must be encrypted and pseudonymised.
Access to such data should only be allowed to those for whom it is absolutely necessary, while the system and its infrastructure must be regularly audited. For a company’s system to be able to ensure compliance with all these requirements, it must meet both technological and security requirements.

It is especially important to assess the compliance of the current system with the GDPR if its development was started before the GDPR entered into force because strict technical requirements for the protection of personal data might be omitted when designing the system. Naturally, IT systems developed before paid less attention to the protection of personal data, so it is necessary to assess whether their existing security measures ensure adequate protection of those data both in the course of the company’s day-to-day business and in the event of unauthorised access.

A public cloud cannot become a public thoroughfare

After the entry into force of the GDPR, I have been observing a trend that companies are looking for quick ways to solve system problems and, therefore, choose moving them to public clouds. The services of public clouds provide the opportunity to modernise the software and, at the same time, receive in one place all the IT services, including necessary data protection tools. Are you migrating to a public cloud because it is secure and you do not have to worry about data or system security? This is a myth that should be forgotten. A public cloud service provider ensures the physical security of data centres and provides a set of measures to ensure the security of the information system being developed. However, the responsibility to properly select, design, and configure these protection measures remains yours. If an entire data protection system is not created and protections are not enabled, then the public cloud will be like a public thoroughfare that anyone can enter. This is a big mistake. For example, if infrastructure services such as Virtual Servers are chosen in the public cloud, it should be remembered that the maintenance, security, and configuration of the operating system (Windows or Linux) remain in the hands of the company’s IT professionals. No matter whether the system is installed on your company’s server or on a server in the public cloud, regular updates and the use of antivirus tools are essential to prevent hackers from exploiting zero-day vulnerabilities.

When it is decided to abandon the company’s physical infrastructure and migrate to the public cloud, a common mistake is to migrate systems as they are now and make only minimal changes (“lift-and-shift”). Before taking this action, it is necessary to invest time and effort in understanding what services are provided by the provider of the chosen public cloud and how his services match the components of the system that the company is migrating or developing. Recent cases of the publication of data that were covered in the media occurred due to the fact that non-functional requirements, where those for information security are among the most important, are disregarded in the design of the system, and the testing of the implementation of these requirements is forgotten.

How to exploit the functionality of the public cloud to ensure security?

The user interface often becomes the primary target of malicious attacks aimed at exploiting all possible vulnerabilities. In the context of the GDPR, it is important not only to protect the sensitive user data being collected, but also to ensure that those sensitive data being entered in the system are not intercepted when sent between system components or transferred to related systems; therefore, normally sensitive data are protected by encrypting them using secure encryption algorithms designed for this purpose. Hackers often target a system and user accounts in an attempt to guess their logins and passwords. So, make sure to choose additional measures such as password complexity policies, control of the number of failed logins during a certain period of time, and monitoring and control of anomalies that would allow noticing that a user tries to log in from different geographical locations in a short period of time, and so on. Such tools can often be used in the public cloud for free; however, companies forget to take full advantage of the services they order.

Databases are the second most common target for hackers. No matter whether you choose to use databases as a platform (PaaS) or as a service (SaaS), they must be configured and maintained accordingly. Isolating databases from other system components using public cloud network segments and firewall components is the responsibility of the system developers, so the correct system architecture plays a very important role in this task. The correct isolation of the components of the system being developed can ensure in the public cloud that only the necessary ports are opened in the network segments, and the data is transmitted securely, when each system component, before transmitting or requesting data, must be authenticated with the access key designed for this purpose. An additional layer of protection is provided by properly configured public cloud policies, which enable fully controlling system and user access, monitor sensitive events such as attempts to hack or otherwise affect the system, and control everything with automation tools that allow to automate the system’s response to certain actions or anomalies, while persons responsible for the maintenance of the system will be alerted by immediate notification and will be able to intervene. These protection tools are provided by the services included in the Public Cloud Package. However, they are not automatic and need to be properly selected and used. In the context of GDPR, it should be remembered that personal data must be protected not only in the course of the day-to-day operation of the IT system, but also in the event of security incidents, so it is recommended that personal data stored in the database be encrypted. The design and implementation of such security measures should be the responsibility of the IT specialists developing the system.

Copies of data require the same maintenance as the system itself or its database. It is important to have working data backups to be used in case of unforeseen software failures; however, it is also very important to protect the data backups by encrypting and storing them only in public cloud services with limited access or on a protected internal company network. If copies of data are used for software design or development purposes, it is necessary to ensure that those data are depersonalised.

The job of an “ethical hacker” is to point out the weak parts of the system

To properly test the system and determine its security status, both specialised commercial tools must be used and different types of security testing, such as software code analysis, must be carried out. Another type of security testing is the black-box testing of an already completed system, when nothing is known about the system, and “hacking” is attempted from the perspective of an external user, an attacker. Nor can the benefits of another type of security testing, manual security testing, be denied. In this case, a highly experienced “ethical hacker” tries not only to identify vulnerabilities but also to figure out potential risks should the vulnerabilities be exploited.

One of the biggest problems related to security testing is that it requires specific skills and experience, so not every small or medium-sized organisation can perform security testing work independently. This is why it is recommended to address security professionals who deal with it every day and who have sufficient experience to identify the most critical points of the system and also use specialised, commercial security auditing tools. After hacking testing, a specialist in his field will be able both to point out the identified security vulnerabilities and explain their risks, and then also provide recommendations and instructions on how the vulnerabilities should be fixed.

The protection of a system is as strong as its weakest link

In ensuring the protection of an information system, an integrated approach is a must. It is also necessary to remember responsibilities for information security in the company, setting security requirements, selecting and implementing appropriate measures in the design, development and maintenance of information systems. The entirety of properly designed system architecture and correctly selected, implemented, and regularly audited security measures are the safeguards that must be put in place by every company that protects customers’ personal data.