Search
Close this search box.
Facebook Instagram Linkedin

Month: January 2019

Categories
Data Protection

What to do in the event of a data breach?

The information most compromised in a data breach is personal. For example, credit card numbers, social security numbers and medical records. Corporate information includes customer lists, manufacturing processes and software source code.

Unauthorized access to this information characterizes a clear data breach, resulting in identity theft or violation of compliance requirements vis-à-vis the government or regulatory sectors. Incidents like this lead to companies facing fines and other civil litigation, not to mention the loss of money and credibility.

The problem is that any company can suffer cyber attacks these days. No matter how many preventive actions are taken, the big question that arises – and which should be a priority for organizations of different sizes and sectors – is: what to do in the event of a data breach?

Recently there was a huge leak in which data from approximately 800 million email accounts was stolen. By the way, if you want to check whether your email data has also been stolen, go to: https://haveibeenpwned.com.

Main causes of data breaches

It’s common to think of a data breach as someone attacking a corporate website and stealing confidential information. However, not everything happens that way.

However, it only takes an unauthorized employee to view a customer’s personal information on an authorized computer screen to constitute a data breach.

Data is stolen or breached for various reasons:

  • Weak passwords;
  • Software patches that are exploited;
  • Stolen or lost computers and mobile devices.
  • Users who connect to unauthorized wireless networks;
  • Social engineering, especially phishing e-mail attacks;
  • Malware infections.

Criminals can use the credentials obtained through their attacks to enter confidential systems and records – access that often goes undetected for months, if not indefinitely.

In addition, attackers can target their attacks through business partners to gain access to large organizations. Such incidents usually involve hackers compromising less secure companies in order to gain access to the main target.

Prevention is still the best medicine

Ensuring a completely secure environment is a major challenge.

Today we have various resources and technologies that can considerably minimize the risk of attacks. However, this is a very dynamic environment in different aspects that make cyber attacks possible. Prevention is therefore the best way forward.

In short, the most reasonable means of preventing data breaches involve security practices and common sense. This includes well-known basics:

  • Carry out continuous vulnerability and penetration tests;
  • Apply malware protection;
  • Use strong passwords;
  • Apply the necessary software patches to all systems;
  • Use encryption on confidential data.

Additional measures to prevent breaches and minimize their impact include well-written security policies for employees, as well as ongoing training to promote them.

In addition, there must be an incident response plan that can be implemented in the event of an intrusion or breach. It needs to include a formal process for identifying, containing and quantifying a security incident.

How to Deal with the Consequences of a Data Breach

Considering that a data breach can happen in any company and at any time, an action plan is the best tactic.

The most basic problem is that people still don’t see cyber attacks as inevitable. After all, they believe their defenses are good enough or they don’t think they’ll be targeted.

Another problem is that organizations don’t understand the true value of effective incident response plans. It can take weeks for them to understand what has happened.

The recommended steps during a data breach are:

  • Identifying what happens;
  • Meeting of all related sectors;
  • Getting things under control;
  • Reduced side effects;
  • External communication management;
  • Recovery of business operations;
  • Identification of lessons learned;
  • Process improvement.

The priority is to stop the breach of confidential data, thus ensuring that all the necessary resources are available to prevent any further loss of information.

 
Identification

Understand what happened – how the attackers got in or how the data was leaked – and also make sure there is no leak.

Knowing what your situation is, defining the position to adopt and being able to take the necessary actions from that position are the first steps to take.

Containment

Did the strikers come from outside? Ensuring that nothing else leaves the company should also be one of the initial stages of incident response. The next actions will be carried out from this point.

Eradication

Deal with the problem by focusing on removing and restoring the affected systems.

Ensure that steps are taken to remove malicious material and other illicit content, for example by performing a complete hard disk recreation and scanning the affected systems and files with anti-malware software.

Communication

The next step is to align the discourse when it comes to external communication.

The IT policy must include care related to social networks and the organization’s other communication channels. After all, all the information related to the problem should come out of one place, always aligned with the actions taken by the company.

It is very common these days to include the organization’s legal department in communication issues and in dealing with situations with clients and official bodies.

On the saferweb website, which is a civil association focused on promoting and defending human rights on the Internet in Brazil, you can find a list of cybercrime police stations where you can file a complaint.

In addition to official bodies, remember to notify those affected by the leak, whether they are employees, suppliers or even customers.

Finally, don’t forget that the General Data Protection Act (LGPD) also deals with this issue.

Lessons learnedfrom the Data Breach

If your company can solve the data breach problem and recover quickly, then it is on the right track to restoring business and minimizing the impact.

However, in some cases, the problem reaches the press and takes on greater proportions, affecting the company’s reputation and business.

Follow our tips and the examples of other organizations that have faced similar situations in order to understand what went wrong and make sure you have the best tactics to avoid a recurrence.

Another important tip is to subscribe to our newsletter and keep up to date with the latest news!

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Data Encryption for Payment and Financial Records

Today, huge amounts of personal and financial electronic data are part of our routines. In addition, digital currency flows in payment ecosystems are also present in everyone’s daily lives. After all, billions of transactions are processed every day. Hence the need to invest in Data Encryption for Payment.

In fact, cutting-edge encryption has become so vital for our financial transactions and personal information.

Investing in Payment Data Encryption is Necessary for a Secure Online Financial System

As you may know, the online payment ecosystem is the main target of cybercriminals. In this way, data encryption is necessary to maintain the integrity of interbank transactions and internet sales platforms.

Perhaps what you don’t know yet is the impact of personal data theft. Illegal access to confidential information generates billions of dollars every year.

By default, the payment infrastructure is a very popular target for hackers. However, this scenario changes with attacks on social networks or other sites that have many users. After all, they often store personal information.

Normally, when a consumer enters their credit or debit card details to make a purchase, they remain open when they leave the merchant’s terminal. This data is not protected until it is encrypted at a gateway on the processing platform.

This is a security model that puts the cardholder’s data at risk. After all, they can fall into the hands of cybercriminals who use methods such as network malware. It also puts the entire payments ecosystem at risk.

In a successful data breach, merchants face financial and reputational repercussions with consumers and the market itself.

Thus, symmetric encryption of financial records and data is one of the main resources for guaranteeing a secure online system. Especially when implemented end-to-end in a payment process or in the traffic of personal or confidential data.

Recently there was a huge data leak, in which data from approximately 800 million email accounts was stolen. If you want to check whether your e-mail data has also been stolen, check at: https://haveibeenpwned.com.

Security can be improved through Data Encryption, but it needs to be a priority

Technological solutions are key to protecting the payment system. However, industry collaboration is also an integral component in the collective fight against cybercrime.

Organizations need to prioritize security for several reasons:

  • The ease of buying and using services on the Internet has generated a great deal of transaction traffic, mainly consisting of personal and payment data;

  • Data encryption is still lacking for payment when important information is stored in the cloud;

  • The considerable increase in mobile applications developed and deployed in the cloud has created business opportunities, but many organizations are still learning about the need to protect devices from security vulnerabilities;

  • Many organizations still establish partnerships with service providers without investing in security policies and processes to protect users and their personal and payment data.

The result of this scenario is a huge increase in security incidents and data theft, resulting in financial, regulatory, legal, operational and brand compromise implications.

 

Data Encryption for Payment: the solution is available to everyone

Despite the risk of virtual attacks and data theft, the solution is available to all companies in the financial sector.

Companies need to become proactive in reducing security threats while accelerating their journey towards digital transformation. They therefore need to adopt flexible, scalable and dynamic platforms to manage the products and services available on the Internet.

Decision-makers – not just IT professionals, but especially executives – also need to understand and commit to shared responsibility for information security.

Encryption of financial records can help secure payment processes

Tokenization and data encryption for payment are examples of security technologies that are strong and play important roles in limiting the current virtual attacks and information thefts that take place in the digital market.

Tokenization technology, for example, replaces sensitive information – such as a credit card number – with a meaningless value or “token” that can be stored in a database. It usually has the same format so that it remains compatible with current card processing systems.

Data encryption for payment goes further, keeping all information out of commercial systems. After all, the transaction chain from the terminal to the bank is fully encrypted.

So when a customer enters their payment details, or an employee swipes a credit card at a terminal, they are encrypted. After that, they can only be opened using a key.

Tokenization and encryption of payment data are valuable tools for protecting sensitive card transaction data. These are solutions that, when implemented efficiently, can provide the highest level of confidentiality in financial transactions and the sending of personal information.

Want to know more about encryption and data protection? Follow our LinkedIn page and keep up with us here on the blog.

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Key Management with Cryptography, how to protect data?

In recent years, suppliers in the data storage market have started to pay more attention to the use of the Key Management Interoperability Protocol (KMIP) in their solutions for integration with encryption key managers.

There are two main reasons for this. The need to comply with data protection regulations is an important reason.

There are also the benefits of Enterprise Key Management (EKM) solutions for companies.

Find out what these benefits are in this article.

Application of good practices in information security

The definition of what is adequate or sufficient to meet regulatory demands about protecting data varies greatly between companies.

Many solutions offer internal support for key management with encryption. Depending on the context, this may be enough.

However, adopting this model could compromise data security. After all, we must consider that the encryption key responsible for protecting them is embedded in the storage solution itself.

In addition, it is common to find scenarios with different storage solution providers, where each one programs their key management models with encryption.

This can lead to human error and compromise data availability in the event of an unsuccessful encryption operation.

The use of an external key management solution provides adequate segregation of roles. It also offers a standardized model for all encryption processes.

In addition, these solutions usually offer international certifications for the implementation of encryption algorithms. This prevents, for example, the use of algorithms or key sizes that are considered weak.

On the Owasp website you can find a very interesting cryptography guide, in which it is not recommended to use the MD-5, SHA-0, SHA-1 hash algorithms and the DES symmetric encryption algorithm.

In addition, key management solutions with encryption can be coupled with equipment designed to provide protection with a high level of security.

For example, Hardware Secure Modules(HSMs) and Enterprise Key Management(EKM). Protection is thus centralized for all the organization’s data storage systems.

Efficient Key Management with Cryptography

Typically, solutions that offer encryption capabilities don’t worry about the lifecycle of a key. Thus, they ignore, for example, validity, activation, deactivation, exchange with preservation of already encrypted processes and destruction.

Using the same encryption key for a long time is inappropriate. After all, this compromises security in the event of a data leak.

A management solution not only provides the necessary requirements for the entire key lifecycle. After all, it also presents these features in a user-friendly interface, from a centralized console.

It even defines access profiles based on integration with a Lightweight Directory Access Protocol (LDAP) database.

Flexibility of Implementation and Key Management with Cryptography

The decision to keep applications on your own infrastructure or migrate to an external data center depends on several factors.

If the key management solution with encryption is coupled with the storage system, the decision to keep it in-house or migrate to the cloud must take this into account.

 

Ability to generate audit reports during key management with encryption

For these cases, it is necessary to offer information with a high level of trust and access to keys. In this way, you should detail who accessed it, the time of the event and the success or failure of the operation.

In addition, alert mechanisms can notify staff if problems arise with the key management equipment or other devices that communicate with the manager.

One of the main benefits of an external key management solution is its ability to enhance audit reports.

Trying to prove to an external compliance auditor that the keys are safe, secure and have strong access controls would be much more difficult with native storage, especially if there is more than one solution. This will also require all systems to be audited individually.

Segregation of profiles

External key management systems can define permissions for the administrators and users who will use the keys.

A common example of this is the ability to allow an administrator to create a key, but not be able to use it to encrypt or decrypt using LDAP or Active Directory (AD) user attributes.

Normally, the systems’ own cryptography does not have this level of granularity in the administrative functions. As a result, the storage administrator is also responsible for the key.

Variety of systems where sensitive data can be stored

From CRMs, File Systems, Virtual Machines, structured or unstructured databases, there is a possibility that there is information that needs encryption to avoid exposure in the event of a security breach.

Encrypted key management, with the ability to integrate with open protocols, provides the necessary resources to meet the needs of a wide range of environments.

There are at least four perspectives that can be addressed regarding the location of the data to be protected: file system, operating system, database and memory.

The effort to implement encryption increases in this order and exceeds the complexity, considering the variety of environments and systems in the end-to-end flow of the data to be protected.

As you may have realized, native encryption is not necessarily the best way to protect data. If you still have questions about this, leave them in the comments. We’ll be happy to answer your questions.

Sobre a Eval 

Eval has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With recognized value by the market, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and the General Law of Data Protection (LGPD). In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Is Proper Key Management Really a Challenge?

Data protection leads companies to implement various encryption solutions. In this sense, one aspect that cannot be overlooked is the need for proper key management.

This is mainly due to the widespread use of encryption as a result of governance and compliance requirements. This shows that we have made progress in terms of data protection, but exposes the major challenge of key management.

After all, it’s common to manage keys in Excel spreadsheets, which can bring a great risk to organizations, since losing control or even losing cryptographic keys can cause the company to lose its data.

Key Challenges of Proper Key Management

Management is vital for the effective use of encryption. The loss or corruption of keys can lead to loss of access to systems and render them completely unusable.

Proper key management is a challenge that increases with the size and complexity of your environment. The larger your user base, the more difficult it will be to manage efficiently.

Some of the biggest challenges involve:

User training and acceptance

Users don’t like change. Although not really part of the key management process, failure to accept them can be a major impediment to the success of a project.

Therefore, it is necessary to map the impact of adopting and using cryptography in your production cycle and the difficulties in recovering or resetting keys or passwords.

Listen to user feedback and develop appropriate training to address their specific concerns or difficulties. Develop system benchmarks to check performance before and after the product is implemented.

In other words, manage user expectations.

System administration, key maintenance and recovery

These problems can have a major impact on the organization and should be addressed with the supplier before they are purchased. On an enterprise scale, manual key management simply isn’t feasible.

Ideally, management should integrate with the existing infrastructure, while providing easy administration, delivery and recovery of secure keys.

Recovery is a fundamental process, especially in situations such as an employee leaving the organization without a proper return or when a key is damaged and can no longer be used. It should also be a simple but very safe process.

In proper key management, the generation procedure should be restricted to one person. In practice, we have, for example, a product process that allows a recovery key to be split into several parts.

From there, the individual parts of the recovery key can be distributed to different security agents. Owners must be present when it is used. This process is simple, but secure, because it requires several parties to recreate the key.

What’s more, forgotten passwords can have an additional impact on the support team. The process must therefore not only be simple, but also flexible. Remote and off-network employees need to be considered as well as internal ones. In this case, remote key recovery is an indispensable feature.

Best practices for proper key management

When dealing with key management problems, who can organizations turn to for help?

The specifics of proper key management are largely dealt with by cryptographic software, where standards and best practices are well established.

In addition, like the National Institute of Standards and Technology (NIST) and the Brazilian Public Key Infrastructure (ICP-Brasil), standards are developed for government agencies that can be applied in any business community. This is usually a good starting point when discussing encryption products with your suppliers.

In the meantime, here are some industry best practices to get you started:

  • The usability and scalability of proper corporate key management should be the main focus of product analysis. The ability to leverage existing assets must play an important role in decision-making. Integration with an authentication environment will reduce costs and eliminate the need for redundant systems;

  • Two-factor authentication is a necessary security measure for financial organizations. Due to the increased processing power and capabilities of today’s computers, the strength of passwords alone is no longer enough.

Control and training

Management means protecting encryption keys from loss, corruption and unauthorized access. Therefore, at the end of the procedures and techniques applied to the management process, it is necessary to guarantee:

  • That the keys are kept securely;

  • That they undergo regular change procedures;

  • That management includes who the keys are assigned to.

Once the existing keys have been controlled, the policies and processes for provisioning, monitoring, auditing and termination need to be rigorously applied. For this reason, the use of automated tools can greatly ease the burden of responsibility.

Finally, information security professionals, infrastructure professionals, database professionals, developers and other professionals who need to use encryption keys should be trained, as a lack of awareness of the risks of protection failures is one of the main factors in problems.

If there is no control over access, there will be no security.

For more tips on proper key management and other more strategic topics for information security and data protection, subscribe to our newsletter and stay up to date!

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Where We Are

Rua Paulistânia, nº 381, 2º andar,
Sumarezinho
São Paulo - SP,
ZIP CODE: 05440-000

Contact

(11) 3670 - 3825
(11) 3865 - 1124
[email protected]

Facebook Instagram Linkedin
logo-tales-azul
keyfactor-logo
logo-valid-certificadora-digital
google-safe-browsing
Privacy Policy

Copyright © 2023, EVAL TECNOLOGIA EM INFORMÁTICA. All rights reserved - CNPJ 05.278.889/0001-97