The impact of a data breach can be disastrous for an organization and can include loss of customer confidence and...

trust, financial penalties and other consequences. The average total cost of a data breach is $ 4 million, up by 29% since 2013 according to the "2016 Cost of Data Breach Study" published by the Ponemon Institute. The average cost per record breached is $ 158, whereas the average cost per record for the healthcare and retail industries are $ 355 and $ 129, respectively. Despite the high risk of the threat, enterprises continue to fall victim to data breaches globally, and it raises significant concerns over protecting the data organizations own, process and store.

While the external threats remain a high priority, the threat to sensitive data also comes from insiders. The threats of employees stealing customer information, personally identifiable information or credit card details are real due to the fact that, in most cases, privileged users like system administrators or database administrators are given authorized access to the data. Often, the real data from the production environment is copied over to the nonproduction environment, which is less secure and not managed with same security controls as the production environment, and resulting data can be exposed or stolen.

Data obfuscation techniques offer different ways to ensure that data remains protected from falling into wrong hands, and fewer individuals can access the sensitive information while meeting business requirements.

 What is data obfuscation?

In the technology world, data obfuscation, which is also known as data masking, is the process of replacing existing sensitive information in test or development environments with the information that looks like real production information, but is of no use to anyone who might wish to misuse it. In other words, the users of test or development environments do not need to see the actual production data as long as what they are looking at looks real and is consistent. Thus, data obfuscation techniques are used to protect the data by deidentifying sensitive information contained in nonproduction environments or masking identifiable information with realistic values, enabling enterprises to mitigate the data exposure risk.

The need for data obfuscation techniques

Organizations often need to copy production data stored in production databases to nonproduction or test databases. This is done in order to realistically complete the application functionality test and cover real-time scenarios or test cases to minimize the production bugs or defects. As a result of this practice, a nonproduction environment can become easy target for cybercriminals or malicious insiders looking for sensitive data that can be exposed or stolen. Because a nonproduction environment is not as tightly controlled or managed as the production environment, it could cost millions of dollars for organizations to remediate reputation damage or brand value should a data breach incident occur. Regulatory requirements are another key driver for data obfuscation. The Payment Card Industry Data Security Standard (PCI DSS), for example, encourages merchants to enhance payment card data security with the broad adoption of consistent data security measures that provide a baseline of technical and operational requirements. PCI DSS requires that merchants' production data and information "are not used for testing and development." Inappropriate data exposure, whether by an accidental or malicious incident, could have devastating consequences and could lead to excessive fines or legal action levied for the violation of the rules.

Data obfuscation use cases

A typical use case for data obfuscation techniques could be when a development environment database is handled and managed by a third-party vendor or outsourcer; data obfuscation becomes extremely important to enable the third-party vendor to be able to perform its duties and functions as needed. By applying data obfuscation techniques, an enterprise can replace the sensitive information with similar values in the database and not have to worry about the third-party vendor exposing that information during development.

Another typical use case could be in the retail industry, where a retailer needs to share customer point-of-sale data with a market research company to apply advanced analytics algorithms and analyze the customers' buying patterns and trends. But instead of providing the real customer data to the research firm, the retailer provides a substitute that looks similar to the real customer data. This approach helps enterprises minimize the risk of data exposure or leakage through a business partner or other type of third-party organization.

Stay tuned for part two of this series on data obfuscation techniques.

Next Steps

Read more on building an information security risk management program

Learn about how cyberattacks use obfuscation techniques

Discover why threat monitoring on the dark web can help enterprises

This was last published in November 2016



Find more PRO+ content and other member only offers, here.

SearchSecurity: Security Wire Daily News

Dan Tentler. Image: Darren Pauli / The Register.

Dan Tentler at Kiwicon. Image: Darren Pauli / The Register.

Kiwicon When Dan Tentler hacked writer Kevin Roose's Mac, his chief problem wasn't trying to pop the shell; it was trying to reign in the hundreds of shells he spawned.

Tentler had been tasked with breaching Roose's computer for a documentary showcasing penetration testers' ability to compromise users.

Tentler, also known as "Viss", told the Kiwicon hacking conference in Wellington today how he manually wrote exploits to gain access to Roo's laptop after discovering it was a Mac, but soon had access to his webcam, email, and Nest CCTV cameras.

"Shells were spawning everywhere, hundreds, so I had to write some scripts to shut them down," Tentler told the conference.

"You can do a lot of damage, but a lot of it is manual [hacking]."

With Roose's laptop boned, Tentler set about pushing limits. He set the Mac's text to speech tool to utter various sentences to mess with the writer. In one instance he made the computer say "wouldn't it be funny if I started talking to you" while Roose was in a cafe, frightening the life out of the unsuspecting writer.

In another, he made the computer remark "you look bored" after spying on him through his open webcam.

Tentler continued the absurdity getting one of his friends to drive to Roose's house and stand in front of the writer's now compromised webcams with a sign reading "Viss was here". ®

Sponsored: 10 Reasons LinuxONE is the best choice for Linux workloads

The Register - Security

Paul Ducklin

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Follow him on Twitter: @duckblog

Information Security Podcasts

What does a team of talented and highly motivated interns do when paired with the expertise and capability of professionals in IBM Managed Security Services? Develop an interactive IBM hacking competition, of course.

I am intrigued by the idea of matching young, capable college students with seasoned IBM professionals to create interactive events. Knowing this, Diane Delaney, a worldwide talent manager at IBM, recommended I interview Chelsea Williams, one of the interns chosen to develop the IBM hacking competition.

An Intern Dishes on the IBM Hacking Competition

Question: Can you give us an idea of what this project was all about?

Williams: Sure, it was a Capture the Flag (CTF) event and was designed to test offensive, or red team, skills of the participants. Although these skills often fall into the realm of black-hat hacking, the thought is that without knowing how to break into a system, you can’t truly know how to secure a system. Thus, a CTF allows for these skills to be tested and developed.

The CTF, which we designed, hosted 15 teams consisting of 60 IBM employees from Managed Security Services.

That sounds like a very cool project for IBM interns. How did you and your fellow interns contribute?

Well, we started off with building the hardware that was required. Then, we were involved in physically building the servers to house the required hardware. By the end of the setup, we had four physical servers racked into the lab server racks.

Once the servers were installed, the networking had to be implemented according to documentation that was designed. From that point, the infrastructure was ready to be configured for the games to start. One of the servers was designated to host Kali Linux, the operating system used by participants to interface with the rest of the environment.

We were responsible for the master virtual machine (VM), from which 20 clones were created, and each team was given its own VM. We were also responsible for the creation and testing of the various machines and challenges used throughout the CTF. We tested the challenge machines and ensured the walk-throughs were in place, just in case the teams required assistance throughout the two-week event.

Wow! What a great hands-on learning experience! What will you take away from this?

I have met and worked with some pretty incredible IBMers. We all worked tirelessly to make the CTF competition a success, which is what makes it so memorable. I have thoroughly enjoyed working as an intern for IBM, and I am very grateful to represent a company that values the input from and collaboration with students.

Everyone Wins

The winner of the IBM hacking competition was team “Boom!” — a group of security correlation engineers at IBM. But, clearly, Williams and her fellow interns will be counted among the winners as well.

Security Intelligence