11 Point Checklist to Data Integrity
Don’t lose your information, or let it fall into the wrong hands
Information is the modern world’s new gold, or oil. It flows and pushes everything in the global economy, spawning terms such as “big data”. And just like gold or oil, this precious resource needs to be protected, and so data integrity has come to the forefront of every IT departments concerns.
Data integrity definition
Data integrity is the property of an information to be intact and unaltered in between modifications, either by an unauthorized party or a technical event. In the Internet age, the term data integrity is tightly connected to servers and databases, since this is where most of the world’s information is stored.
There are three dimensions to data integrity:
1. Secure communication. The information has been correctly and securely sent from the creator, to the receiver.
For instance, the data sent from a customer registration form to the database containing the information for all other clients.
2. Safe storage. The data that is in servers hasn’t been altered or modified, and can still be used for its original purposes.
For example, customer information such as credit card details and addresses that an online merchant stores in a server.
3. Data can be audited. This means the data can be audited and verified, at each point where changes were made, allowing for the bugs, modifications and other alterations to be detected.
This is especially important in organizations that work with very sensitive data, such as payments, or health data. These organizations need to know who, when and how altered a certain piece of information.
How data integrity can be compromised and what to do about it
There’s more than one way information can be corrupted, although the methods can be grouped into two major categories:
1. Technical errors
2. Cyber attacks and other security flaws.
Ever since the World Wide Web took shape, malicious hackers have sought to make a quick buck by exploiting its software and security vulnerabilities.
Studies have shown that companies who have been victims of data breaches and hacks suffer significant brand damage and loss of consumer trust. The infographic below puts this phenomenon in perspective, by showing how many existent consumers would discontinue a relationship with a breached company, or not enter a relationship with one.
Besides the business incentives behind stronger data integrity procedures, companies and organizations have legal pressures to worry about.
Regulators are now cracking down on organizations that aren’t capable of protecting their customers data. For example, North Carolina recently fined Adobe for $1 million for a 2013 data breach, while the British ICO charged TalkTalk with $400,000 for leaking data for 150,000 customers.
Once the EU GDPR regulations kick into action, the fines can reach a whopping 4% of a company’s turnover.
Almost all the data of an organization passes through the hands of employees. Data integrity verification always falls on their shoulders first, so any security policy has to start with them.
For one, credential sharing between employees should be strictly controlled on a need to know basis. This prevents employees with attribution in one field (such as quality assurance) to access and modify data from colleagues in unrelated fields (such as sales).
If employees need to share accounts as part of their work duties, consider using password managers. These allow the sharing of account login information, but without actually revealing the password used to access the account.
Secondly, employees need to be vigilant, and properly identify when something is out of place. There are numerous signs of hacking, but many of them are silent and easy to miss. Changed passwords, missing files, logins at strange hours, file modifications that cannot be accounted for, are all signs of a hacking.
Fortunately, there are a lot of resources to go around when it comes to employee education, such as:
- Cybersecurity Course for Beginners
- Cyber Security for Small Business Owners
- 50+ Useful Cyber Security Online Courses You Should Explore [Updated]
For the uninitiated, encryption is the go-to cybersecurity measure, but it is only efficient in certain cases, and comes with a performance cost.
By encrypting the information in the database, whoever gets their hands on the files cannot access them without the decryption key.
This works very well in cases where there is a risk that an attacker acquires the files stored on the database (by physically stealing the server, or downloading the files by means of a cyberattack). Even if the data leak does occur, the hacker can glean little to no sensitive information until he decrypts the files.
Where encryption doesn’t work however, is if an attacker targets the user account first, compromises it, and then uses it to access the decrypted files. In other words, there’s not much encryption can do to protect an organization’s data if the attacker hacked into the sysadmin’s account.
Keep an eye out for metadata
In short, metadata is data about data. A database containing information about suppliers and vendors might have metadata that covers aspects such as: date of last file modification, the author of the modifications and general description of data.
Here’s what metadata looks like for a Microsoft Word document:
A malicious hacker might be interested in metadata for a number of reasons:
- Learning what operating systems the organization uses. This allows the attacker to target it with a particular exploit kit.
- Email addresses. If he learns these, an attacker is then free to conduct social engineering attacks (such as phishing) against the account user.
- Application-specific data, such as what particular software a user employs, and what version it is. This also allows for exploit tailoring.
- In some situations, a technical attack leverages metadata to obtain usernames and passwords for accounts.
So how would a malicious hacker learn the metadata in the first place? Well, he can use a free tool that scans a website for files such as docs or PDFs, downloads them, and then reads their metadata.
Limit physical access to the system
A malicious hacker can steal data on a server or computer simply sticking a USB stick into it. For this reason, and many others, only a few trusted employees should have physical access to the server or database.
The most sensitive devices, such as servers, should be isolated in their separate room (with proper ventilation for cooling), locked up and ideally bolted into the floor, ceilings or walls. Also, all ports should be sealed or covered. The whole point of the exercise is to make it difficult and uncomfortable for an attacker to physically access the machine.
Sure, the person who has to handle the device might complain about the usability hit, but the security advantages are worth the trade-off.
Smaller organizations, where space is at a premium and/or cannot afford a dedicated server room, should place the server or database near the watchful eyes of the highest privileged user. Depending on how the company is structured, this can be either the sysadmin or a manager.
Backup the data
Backing up the data is a must have, and goes a long way to prevent permanent information losses.
The correct answer to the question “how often to backup” is “as frequently as possible”. Of course, practical limitations such as performance and costs limit this greatly. Buying a second server, and the associated hosting can be one dollar too many for some small businesses.
Fortunately, cheaper dedicated cloud solutions exist such as:
Ironically, a malicious hacker can actually breach the website using the backup itself. If a sysadmin doesn’t properly anonymize it, a third party can find the backup using a simple Google search.
An attacker then downloads these files, and extracts some of the data on it. This includes hashed passwords, plaintext emails or other types of user information.
Remove duplicate data
During any organization’s activity, sensitive data can be duplicated and end up on shared folders, where employees without the required access privilege can see it.
Fortunately, constant cleanups of stray data can remove duplicates and ensure access controls are still in place.
This can be a time consuming affair, especially for smaller companies that don’t have a dedicated IT guy or gal to take the time to sift through all the files. So here’s a list of tools that can help clean up duplicate files on hard drive or cloud storage.
- Clone Files Checker can remove duplicates inn Google Drive.
- Easy Duplicate Finder.
- Duplicate Cleaner.
If you’re using Windows Server, then you can use its Data Deduplication feature to clean up cloned files.
Another, much more powerful native tool than can help in weeding out stray files is the File Server Resource Manager.
SSL is a must have security feature for any self-respecting website. An SSL encrypts the background communicated between a website and the visitor’s device. This significantly reduces the threat of a man-in-the-middle attack, although it doesn’t remove it completely.
For instance, malicious hackers can perform something called a “downgrade attack”. This exposes a flaw in OpenSSL, and then downgrades the communication between the web server and computer, effectively becoming plaintext.
The cost of an SSL certificate varies between 30 to 40 dollars, but frequent promotions, especially for new customers, can push the price to as low as $5 or 6$.
Installing it is also a relatively easy task, but differs depending on the company’s IT setup. Here’s an in-depth guide on how to install an SSL certificate.
Quality of life technical measures
These security features are mostly under-the-radar type of security features that most users will perceive as minor annoyances, but offer tangible improvements in user security.
- Automatic log off. Logging off a user with after each session will terminate the session cookie, cutting off access to the attacker if he somehow manages to intercept it.
- Data input validation. This feature confirms whether or not the data has been successfully introduced, allowing the user to do corrections.
- Force employees to set up strong passwords. Most internet users default to the easiest solution available for their problems, but not necessarily the best one. By creating a system that forces users to choose strong passwords, a company can avoid the risk of employees securing critical accounts with passwords such as “12345678”.
Volume and stress tests the databases
Some technical attacks or server malfunctions happen because the hardware itself can’t cope with the amount of information it has to process.
Exploits might be possible thanks to bad code, such as buffer overflows. Poor configurations can also allow an attacker to brute-force login screens, and acquire user passwords.
Penetration testing and security audits
The best way to check if a company’s data is insecure, is to conduct a penetration test. In a nutshell, an ethical hacker will actively try to hack into your company in order to find vulnerabilities, and see how strong your infrastructure is.
Security audits on the other hand tend to be more in-house affairs, although smaller companies can outsource the task to data integrity specialist. A cybersecurity audit should analyze:
- Employee security practices.
- What information is mission-critical for an organization.
- Potential methods a hacker might employ to get his hands on the information.
- What security procedures are in place to identify a potential hacking.
Do data audits, and keep an audit trail
A critical aspect in maintaining data integrity, is to have a method of tracking down the source of the information breach. This is called an audit trail, and allows the organization to follow the bread crumbs until they reach they can accurately pin point the source.
Ideally, an audit trail meets the following criteria:
- It is automatically generated.
- A user doesn’t have the privilege access to modify the audit trail.
- The audit log tracks the creation, deletion and modification of each electronic record.
- Every action is time stamped.
- The audit trail allows for the reconstruction of all the steps taken to obtain a certain result.
In financial transactions for instance, the bank has an audit trail that tracks when a user logged into his account, if he did a payment, how big the payment was, to whom the payment he made the payment, and so on.
In more advanced setups, the audit trail can also allow to track the exact device and even the location of the transaction.
If a malicious hacker breached a customer’s bank account, the bank can follow the audit log for the fraudulent bank payment, and then compare it to legitimate payments and flag the operation as a fraud.
In other environments, such as law firms for instance, an audit trail tracks who and when modified or deleted a certain document, as well as the modifications themselves.
Legal obligations regarding data integrity
Lawmakers are catching up with the developments taking place on the Internet, and issuing regulation to protect the data of customers and impose industry-wide best practices.
Here are just a few important provisions from major data legislations around the world.
Even before the GDPR, the EU had a series of directives and regulations aimed at protecting internet user privacy. GDPR however will take things up a notch (or more, depending on who you ask).
1. The amount of personal data collected must be limited to what is necessary in order to carry out its purposes. – Rec.39; Art.5(1)(c).
Previous regulations stated that the organization shouldn’t gather an excessive amount of information about the user, but this left plenty of room for interpretation, which the new wording fixes. While it doesn’t concern data security per se, it requires the company to limit itself about collecting information it doesn’t actually need. For instance, companies that sell consumer electronics such as washing machines have no need for the consumer’s healthcare information.
2. Personal data must be kept accurate and up to date. Inaccurate and outdated information must either be corrected or deleted as soon as possible. – Rec.39; Art.5(1)(d).
3. In Rec.29, 71, 156; Art.5(1)(f), 24(1), 25(1)-(2), 28, 39, 32, the EU GDPR states that the entity responsible with processing the data has also implemented the proper security measures to protect the data.
4. The controller is responsible for, and must be able to demonstrate, compliance with the Data Protection Principles. – Rec.85; Art.5(2).
Under previous legislation, the organization that processed the information had to ensure that it was compliant with legislation. This means it was up to interested parties to prove the organization didn’t properly protect its data.
Under the new EU GDPR legislation, the burden of proof falls on the organization, not on the interested party. In other words, it is now the company’s role to point out what security measure it has in place to protect customer information.
United States privacy laws
Unlike the EU, the United States does not have a single overriding legislation covering data integrity and privacy. Instead, a patchwork of federal and state regulations provide a legal framework.
Here are the most important pieces of US legislation covering data protection:
1. Federal Trade Commission Act. Prohibits unfair practices, including to offline and online data.
2. Financial Services Modernization Act. Primarily focuses on regulating data in financial institutions, and includes provisions that cover data protection.
3. Health Insurance Portability and Accountability Act. Covers healthcare data, including best practices and obligations in maintaining the integrity of patients’ data.
4. Electronic Communications Privacy Act. Regulates the interception and tampering of electronic communications.
Information is the lifeblood of the new, modern economy, and keeping it safe and secure from prying eyes or even technical loss, is critically important to prevent damages caused either by regulatory fines or loss of business.
Do you think there are some other advanced data security best practices we could include or have an interesting story to tell? Leave in the comments below!