The 2015 hacking of the IRS database that gave criminals access to details of more than 700,000 tax payers in the United States raised several questions regarding the way cyber-security was handled by the government. According to the latest audit reports released by the Government Accountability Office, the IRS still lacks a number of important database controls to identify and authenticate users through password settings, restrict server access and encrypt data.
The 2015 hacking of the IRS database that gave criminals access to details of more than 700,000 tax payers in the United States raised several questions regarding the way cyber-security was handled by the government. According to the latest audit reports released by the Government Accountability Office, the IRS still lacks a number of important database controls to identify and authenticate users through password settings, restrict server access and encrypt data. The audit report concludes its assessment by noting that “although IRS has continued to make progress in addressing information security control weaknesses, it had not always effectively implemented access and other controls to protect the confidentiality, integrity, and availability of its financial systems and information.”
The GAO report should find resonance not only among the Government circles, but also among enterprise businesses that continue to fall prey to the latest cyber-hacking attempts. Some independent reports estimate that businesses lose as much as $400 billion each year due to hackers. Despite an increasing focus on data storage and access standards across organizations, security has remained a cat and mouse game where hackers continue to win on a fairly routine basis.
So why aren’t the increasing investments in data security not showing results? One of the major reasons is that a lot of cyber-hacking incidents involve an element of human gullibility. Take the instance of CIA Director John Brennan losing his AOL account to hackers – it involved the hackers posing as Verizon technicians to gather confidential details regarding the victim. Or, the latest revelations about how an embedded chip could be used to bypass security scans and exploiting Android devices – this exploit will not work unless the victim clicks on a link distributed by the hacker. In each of these cases, a momentary lapse of judgement is primarily how hackers gain entry into confidential systems.
Overcoming human gullibility is surely one of the biggest challenges to security professionals and this is not going away anytime soon. However, the loss due to this can be minimized through appropriate investments in data security. One area that has been gaining ground here is data monitoring. Databases Activity Monitoring (DAM) tools are today a part of legal compliance and it involves automating the collection of information about traffic interacting with your database, correlating this traffic with legitimate use and creating policies to prevent unauthorized access and offering prioritized response.
One big advantage of DAM is that it can nullify or at least partly minimize the risks due to human error. A hacker posing as a Verizon technician may not be provided access to the database if it were mapped for legitimate use. Similarly, an Android system that can compare hyperlinks with a real-time database of risky clicks will be able to prevent hackers from gaining ground among a lot of victims.
Besides building tools to intercept and minimize data loss due to human errors, technology can also help with teaching employees how to approach an unanticipated data security incident. When the stakeholders (the platform owner, the customers and the vendors) act in sync and according to pre-established protocol, any trail that does not align with the rest of the users can be tracked and access to it minimized before major database interceptions may be made.