Difference between revisions of "Protecting Personal Information"

Latest revision as of 21:54, 23 May 2025

Full Title

How a large enterprise should structure itself to limit the risk of exposing User Private Information.

Context

Large Enterprises can no long succeed without a deep knowledge about their operations. This knowledge is retained in the data in their computer information systems. If these systems are not reliable many businesses need to just shut their operations down until the data is available again. The Resilience of these system is dealt with elsewhere. Enterprises already understand how their operational data needs to be both protected from exposure and available where it is needed. This wiki is focused on the data that is held in the system that is related to the humans that use the products and services both as employees, providers and as customers of the enterprise.

US Federal Trade Commission Protecting Personal Information: A Guide for Business

Problems

• Whenever a secret is widely shared, it should be treated as public knowledge as every process that can access the secret needs to as secure as the information protected by the secret.
• Secrets should never be accessible by any process that is accessed by any untrusted process. For example a Web Site that is accessed by the public internet should never have access to secrets.
• Since Web Sites may access data that is protected with encryption by secret keys, the process that does the decryption should not be in the same process, or security domain, as the Web Site.

Attack Models

Protecting personal data in corporate databases is crucial, as cybercriminals use various attack methods to exploit vulnerabilities. Here’s an extensive list of **common attacks**:

• 1. External Cyber Attacks**

- **Phishing** – Fraudulent emails trick employees into revealing credentials. - **Ransomware** – Encrypts corporate data, demanding payment for decryption. - **SQL Injection** – Exploits database vulnerabilities to extract sensitive data. - **Zero-Day Exploits** – Attacks unpatched software vulnerabilities. - **Man-in-the-Middle (MITM) Attacks** – Intercepts data between users and corporate servers. - **Credential Stuffing** – Uses leaked passwords to gain unauthorized access. - **Denial-of-Service (DoS) & Distributed DoS (DDoS)** – Overloads systems, disrupting operations.

• 2. Insider Threats**

- **Malicious Employees** – Staff with access misuse or steal data. - **Accidental Data Exposure** – Employees unintentionally leak sensitive information. - **Third-Party Vendor Breaches** – Weak security in external partners leads to data leaks.

• 3. Social Engineering Attacks**

- **Pretexting** – Attackers impersonate trusted figures to extract information. - **Baiting** – Offers fake incentives to trick employees into downloading malware. - **Tailgating** – Unauthorized individuals physically enter secure areas.

• 4. Advanced Persistent Threats (APTs)**

- **Nation-State Cyber Espionage** – Government-backed hackers target corporate secrets. - **Supply Chain Attacks** – Compromises software updates or vendor systems. - **Cloud-Based Attacks** – Exploits misconfigured cloud storage or weak authentication.

• 5. Physical Security Breaches**

- **Device Theft** – Stolen laptops or USB drives containing sensitive data. - **Dumpster Diving** – Retrieving discarded documents with confidential information. - **Unauthorized Access** – Gaining entry to restricted areas to steal data.

• 6. Emerging Threats**

- **AI-Powered Attacks** – Automated hacking tools enhance cybercriminal efficiency. - **Quantum Computing Threats** – Future quantum decryption could break encryption. - **Deepfake Social Engineering** – AI-generated impersonations trick employees.

For real-world examples

• a list of major data breaches
• FTC’s guide on responding to breaches

Vulnerabilities

While the attack models can expose weakness, there is a better way to approach the vulnerabilities exposed by the attacks as a way to improve the data protections of the implementation.

1. Excess Privilege will allow a bad actor that has penetrated the system to use the privileges that they have attained to create problems. A well know mitigation is to assign the Least Privilege needed to get the job done well.
2. Excess Access to all of a user's data when only selected fields are needed for the task at hand.
3. Incomplete Protection where some data is stored in a less protected place, like audit logs.
4. Inconsistent Data Protection where the data is protect in storage, but then held in memory after is is no long in use. For example if data is downloaded into a portable device which might not have the same protection levels.
5. Back-ups may maintain user protected data forever and not be properly deleted after a specific, predetermined time interval.
6. Decommissioned storage devices may be recycled where private user data is still on the storage device.
7. Over collecting data based on the idea that the data might be useful sometime so let's be safe and keep it all.
8. Lack of internal auditing to be sure that the data actually in store belong there.
9. Improper incentives = I will get a bad review if I can get the data my boss asks for but no one will blame me if thousands of user’s lives are disrupted.

Solution

Board of Directors

Policy and responsibility must start at the Board of Directors (BoD) for the Corporation (or the similar responsible party in other types of Enterprises)^[1] It should be clear that all Enterprises are now, at least at the highest level, just data processing organizations. This is not news, what is new is that extent to which that data processing has been mechanized and structured. With Artificial Intelligence the automation of the processing of that data will continue to shed clerical workers and put the executives in more direct contact with their organizations, albeit mediated by the AI rather than by many layers of management and clerical processing. The importance of maintaining control of both the data arriving and the commands originating in the executive level is of life-or-death criticality to the organization. Somehow the board needs to ensure that the processing of the data is secure from both exfiltration and injection.

Describe the board of directors' oversight of risks from cybersecurity threats. If applicable, identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.

Instruction 2 to Item 106(c): Relevant expertise of management in Item 106(c)(2)(i) may include, for example: Prior work experience in cybersecurity; any relevant degrees or certifications; any knowledge, skills, or other background in cybersecurity.

Contrary to popular belief, data security begins with the Board of Directors, not the IT Department. A corporate board that prioritizes data security can set the tone throughout an organization by instilling a culture of security, establishing strong security expectations, and breaking down internal silos to facilitate technical and strategic collaboration. ... A strong data security program starts at the top. While it might not be the board’s role to manage day-to-day security operations, it is their job to set priorities and allocate the resources necessary to ensure effective security. Board members need to talk the talk and walk the walk. They should demonstrate a sophisticated grasp of the data security challenges their company faces and act in a way that sets the tone for the entire organization.

Enforcement

Most governments apply some rules as to how user/consumer data is handled by Enterprises. Federations, like the US or EU, have multiple levels at which privacy can be regulated. Often the agency that handles disclosure of privacy breaches (like the US SEC) is separate from the one that deals with protection of user data.

• GDPR
• US FTC https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement

Server Farms

Ensuring user private information is properly protected on a company’s website requires a multi-layered security approach.

1. Implement Strong Authentication - Use multi-factor authentication (MFA) to prevent unauthorized access. - Require strong passwords and encourage users to update them regularly.
2. Encrypt data at rest (stored data) and data in transit (moving data). - Use SSL/TLS certificates to secure website communications.
3. Limit Data Collection - Only collect necessary user data to minimize exposure. - Anonymize or mask sensitive information when possible.
4. Secure APIs and Databases - Implement API security measures like authentication tokens. - Regularly update and patch database vulnerabilities.
5. Monitor and Audit Security - Conduct regular security audits to identify weaknesses. - Use intrusion detection systems (IDS) to monitor suspicious activity.
6. Educate Employees - Train staff on cybersecurity best practices to prevent human errors. - Implement access controls to limit who can view sensitive data.
7. Comply with Regulations - Follow GDPR, HIPAA, or CCPA compliance standards.
8. Maintain transparent privacy policies for users.

References

1. ↑ Dominique Shelton Leipzig, Trust.: Responsible AI, Innovation, Privacy and Data Leadership ISBN 9798887501734

Other Source Material

• Also see wiki page Shared Data Protection.
• Also see wiki page Enterprise Data Audit.