Rosemary Tietge, FileMaker DevCon 2014
In an era where data breaches make regular headlines, securing business data has never been more critical. Rosemary Tietge’s DevCon 2014 session focused on the evolving threat landscape, security trends, and how FileMaker users can mitigate these risks by leveraging FileMaker’s built-in security tools. This post provides an in-depth exploration of the session’s insights, offering detailed strategies for safeguarding data using FileMaker’s capabilities.
Menu
- Why Data Security is Critical for Businesses of All Sizes
- Common Threats and Attack Vectors
- Nine Key Incident Patterns to Watch For
- Data Breaches and Small Business Vulnerabilities
- How FileMaker Helps Mitigate Security Risks
- Best Practices for Securing Data in FileMaker
- Compliance and Regulatory Requirements
- Key Takeaways from the Session
Why Data Security is Critical for Businesses of All Sizes #tag1
Data breaches affect businesses of all sizes, not just large corporations. In fact, small and medium-sized businesses (SMBs) are frequent targets for cyberattacks because they often lack the security infrastructure of larger organizations. Tietge highlighted a statistic from a Wall Street Journal article: firms with 11 to 100 employees are attacked ten times more frequently than companies with 100 to 1,000 employees. The reason is simple—SMBs are seen as easier targets due to their limited IT resources and weaker security measures.
Why SMBs Are at Risk
- Weaker Security Postures: SMBs often have fewer resources to dedicate to advanced security measures such as multi-factor authentication (MFA) or encryption. Their security policies are frequently underdeveloped or nonexistent.
- Lack of IT Expertise: Many SMBs don’t have dedicated IT security teams, relying instead on generalist IT staff who may not be well-versed in cybersecurity.
- High-Value Targets: Despite their smaller size, SMBs often store valuable customer information, financial data, and intellectual property, making them attractive targets for attackers.
Data Breaches Are Costly
The financial impact of a data breach on SMBs can be catastrophic. According to Tietge, 60% of small businesses that experience a breach go out of business within six months. The average cost of a data breach per record is approximately $188, and the total costs can add up quickly. Beyond financial losses, businesses face reputational damage, potential lawsuits, and regulatory penalties.
SMBs must take data security seriously to protect their businesses from these outcomes.
Common Threats and Attack Vectors #tag2
Tietge’s session identified the most common attack vectors that cybercriminals exploit to compromise business systems. Understanding these vectors is key to defending against cyber threats.
1. Spear Phishing
Spear phishing is a more targeted and personalized form of phishing, in which attackers send fraudulent emails to specific individuals within an organization, often posing as trusted contacts. These emails aim to trick the recipient into divulging sensitive information, such as login credentials, or downloading malware.
How to Defend Against Spear Phishing:
- User Training: Educating employees to recognize phishing attempts is critical. Spear phishing attacks are sophisticated, but a well-trained user is less likely to fall for the scam.
- Email Filtering: Use advanced email filtering tools to detect and block phishing emails before they reach users’ inboxes.
2. Watering Hole Attacks
In watering hole attacks, cybercriminals compromise a legitimate website frequented by the target audience. When visitors access the site, they unknowingly download malware, which can lead to unauthorized access to business systems.
Mitigation Strategies:
- Regular Software Updates: Keep web browsers and plugins up-to-date to minimize the risk of malware exploits.
- Secure Web Gateways: Use secure web gateways that monitor and block malicious websites to protect users from unknowingly downloading malware.
3. Zero-Day Vulnerabilities
A zero-day vulnerability refers to a flaw in software that is unknown to the software vendor, and therefore unpatched. Attackers exploit these vulnerabilities before the vendor has a chance to fix them, leaving organizations defenseless against the attack.
Defense Against Zero-Day Exploits:
- Patch Management: While zero-day vulnerabilities are unpatched by definition, regularly updating software and applying patches can help prevent attacks that exploit known vulnerabilities.
- Advanced Threat Protection: Invest in advanced threat protection systems that detect unusual activity and mitigate attacks before they cause damage.
4. Insider Threats
Insider threats, where employees or contractors abuse their access to steal or manipulate data, pose a significant risk. These individuals already have access to critical systems, making it difficult to detect malicious behavior until it’s too late.
Mitigating Insider Threats:
- User Behavior Analytics (UBA): Use UBA tools to monitor and flag unusual behavior patterns that could indicate malicious activity.
- Least Privilege Principle: Enforce the principle of least privilege, where users are granted the minimum access necessary to perform their job functions.
These attack vectors highlight the importance of a multi-layered security approach, combining user education, technology, and strong policies.
Nine Key Incident Patterns to Watch For #tag3
Tietge discussed nine common incident patterns that represent the majority of security breaches. These patterns are crucial for understanding the types of threats that businesses face and how they might manifest in a FileMaker environment.
1. Insider and Privilege Misuse
Employees, contractors, or third-party partners may misuse their privileges to access sensitive data, either for personal gain or to sabotage the system. This can include unauthorized data downloads, copying sensitive information, or modifying records.
Detection and Prevention:
- Activity Logging: Regularly review logs of who accessed what data, and flag unusual activity for investigation.
- Access Control: Ensure that all employees have only the access they need to perform their job functions, and revoke access immediately when it is no longer necessary.
2. Physical Loss and Theft
Devices like laptops, smartphones, and tablets can be lost or stolen, granting attackers physical access to business data if these devices are not properly secured.
Mitigation:
- Encryption: Ensure that all devices are encrypted so that data cannot be accessed without proper authentication.
- Remote Wipe: Implement remote wipe capabilities for mobile devices to erase data if the device is lost or stolen.
3. Miscellaneous Errors
Human error is one of the most common causes of data breaches. Accidental data leaks can occur due to misconfigured security settings, sending sensitive emails to the wrong recipients, or failing to update critical security patches.
Prevention:
- Employee Training: Educate employees on data handling best practices and encourage double-checking sensitive tasks.
- Automated Security Checks: Use automated tools to monitor configurations and settings, ensuring that sensitive data is adequately protected.
4. Point-of-Sale (PoS) Intrusions
PoS systems are often targeted by attackers seeking to steal payment card information. This is particularly relevant for businesses in the retail and hospitality sectors.
Protection Strategies:
- Network Segmentation: Isolate PoS systems from other parts of the network to limit the spread of an attack.
- Tokenization: Use tokenization to protect payment card data, replacing sensitive card numbers with non-sensitive equivalents.
5. Denial of Service (DoS) Attacks
DoS attacks overwhelm a system with traffic, rendering it unavailable to legitimate users. These attacks are often used to disrupt operations or demand a ransom to stop the attack.
Defense:
- Content Delivery Networks (CDNs): CDNs help distribute traffic, reducing the likelihood that a single point of failure can be overwhelmed by a DoS attack.
- Firewalls and Intrusion Prevention Systems (IPS): Implement firewalls and IPS solutions to detect and block malicious traffic before it can overwhelm the system.
6. Web Application Attacks
Web applications, such as customer portals or internal business tools, are frequent targets for attackers looking to exploit vulnerabilities in code to gain unauthorized access.
Defense:
- Code Reviews: Regularly review and test web applications for security vulnerabilities, such as SQL injection or cross-site scripting (XSS) flaws.
- Web Application Firewalls (WAF): WAFs protect against many types of web-based attacks by inspecting incoming traffic and blocking malicious requests.
By understanding these patterns, businesses can focus their security efforts on the most relevant risks and take preventive action to mitigate potential threats.
Data Breaches and Small Business Vulnerabilities #tag4
While large corporations are often in the headlines for massive data breaches, small businesses are increasingly targeted by cybercriminals due to their weaker security defenses. Tietge emphasized that small businesses (SMBs) are attractive targets for several reasons:
SMBs Are Under-Resourced
Many small businesses lack dedicated cybersecurity teams, making it easier for attackers to exploit vulnerabilities. SMBs often don’t invest in advanced security tools or perform regular security audits, leaving their systems exposed.
Human Error and Lack of Training
Employees at smaller companies may not receive adequate training on cybersecurity, making them more susceptible to phishing and social engineering attacks. Since these businesses typically do not have the resources for extensive IT support, mistakes go unnoticed and uncorrected.
Financial and Reputational Impact
For SMBs, the consequences of a data breach can be devastating:
- Financial Costs: The average cost of a data breach for SMBs includes lost business, regulatory fines, and legal fees, which can easily surpass six figures.
- Loss of Customer Trust: Once a breach is disclosed, customers may lose trust in the business’s ability to protect their data, leading to churn and reputational damage.
Tietge stressed that no business is too small to invest in cybersecurity. Even with limited resources, SMBs can implement essential security measures—like strong passwords, regular software updates, and encryption—to reduce their risk of becoming a target.
How FileMaker Helps Mitigate Security Risks #tag5
The FileMaker Platform offers several built-in security features that help businesses protect their data and reduce the risk of breaches. Tietge explained how these features can be leveraged to secure FileMaker environments.
Accounts and Privilege Sets
One of the most important tools for securing a FileMaker system is the accounts and privilege sets feature, which allows for granular control over what each user can access and modify within the system.
Best Practices:
- Role-Based Access Control (RBAC): Assign users specific roles based on their job functions, and ensure that each role has only the minimum necessary permissions.
- Regular Audits: Periodically review user access and adjust privileges as needed to prevent “permission creep,” where users accumulate unnecessary privileges over time.
Encryption at Rest (EAR)
FileMaker’s Encryption at Rest (EAR) feature allows businesses to encrypt all data stored within the system using AES-256 encryption. This ensures that even if the physical server or a backup is stolen, the data remains protected.
Why EAR is Essential:
- Compliance: Encryption helps meet regulatory requirements like HIPAA, GDPR, and PCI DSS, which mandate that sensitive data be encrypted at rest.
- Data Breach Protection: EAR prevents unauthorized individuals from accessing data even if they gain physical control over the server or storage device.
SSL Encryption
FileMaker supports SSL encryption, which ensures that all data transmitted between clients and the FileMaker Server is encrypted. SSL protects against man-in-the-middle attacks, where an attacker intercepts data during transmission.
SSL Implementation:
- Enable SSL on FileMaker Server: Always enable SSL to ensure that communications between FileMaker clients and the server are encrypted.
- Use Trusted Certificates: Avoid using self-signed certificates, as they can be vulnerable to attacks. Use certificates from a trusted certificate authority (CA).
External Authentication
FileMaker integrates seamlessly with Active Directory (AD) and Open Directory (OD), allowing businesses to manage user authentication through existing network directories. This centralizes user management and ensures that security policies are consistent across the organization.
Advantages of External Authentication:
- Centralized Control: IT departments can manage all users from a single directory, ensuring that access control policies are applied consistently across all systems.
- Reduced Complexity: Users don’t need separate credentials for FileMaker; their AD or OD credentials are sufficient, streamlining the login process.
By leveraging these built-in tools, businesses can secure their FileMaker environments and reduce the risk of unauthorized access or data breaches.
Best Practices for Securing Data in FileMaker #tag6
To fully benefit from FileMaker’s security features, Tietge recommended several best practices that every FileMaker user should follow:
1. Know Your Data and Access Rights
Understand what data is being stored, who has access to it, and whether access rights are appropriate. Regularly audit user permissions to ensure that employees have access only to the data they need for their role.
2. Use Encryption at Rest (EAR)
Encrypt all sensitive data stored within FileMaker using AES-256 encryption. This ensures that if the server is compromised, the data remains protected.
3. Implement Two-Factor Authentication (2FA)
While FileMaker does not natively support 2FA, it’s advisable to implement 2FA using external authentication solutions wherever possible. This adds an extra layer of protection against unauthorized access, even if login credentials are compromised.
4. Regularly Review and Revoke Access
Conduct regular reviews of all user accounts and revoke access for employees who no longer need it, particularly after job changes or terminations. This helps to prevent privilege creep and unauthorized access.
5. Host Solutions on FileMaker Server
By hosting solutions on FileMaker Server rather than on local machines, businesses can take advantage of enhanced security features, such as logging, encryption, and centralized access control.
6. Conduct Penetration Testing
Periodically hire third-party security experts to conduct penetration tests on your FileMaker environment. These tests can help uncover vulnerabilities that may have been overlooked during regular security checks.
By implementing these best practices, businesses can significantly reduce the risk of a data breach and ensure that their FileMaker systems remain secure.
Compliance and Regulatory Requirements #tag7
Tietge highlighted the growing importance of complying with regulations and industry standards. Failure to comply with regulations such as HIPAA, PCI DSS, and GDPR can result in severe penalties and legal consequences. Fortunately, FileMaker can help businesses meet these requirements through its security features.
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA mandates strict security standards for handling personal health information (PHI). FileMaker systems used in healthcare settings must ensure:
- Encryption of PHI: Data at rest and in transit must be encrypted using strong encryption methods such as AES-256 and SSL.
- Access Control: Implement strict access controls to ensure that only authorized personnel can access PHI.
PCI DSS (Payment Card Industry Data Security Standards)
Businesses that process or store payment card data must comply with PCI DSS, which sets stringent standards for data protection.
- Data Minimization: Avoid storing sensitive cardholder data whenever possible. Use tokenization to replace sensitive card data with tokens that can be used for transactions without exposing the original data.
- Encryption: Encrypt cardholder data both at rest and in transit to prevent unauthorized access.
GDPR (General Data Protection Regulation)
GDPR protects the personal data of individuals within the European Union. FileMaker systems that handle personal data must comply with GDPR’s data protection requirements.
- Data Subject Rights: Ensure that users can exercise their rights under GDPR, such as accessing or deleting their personal data.
- Data Breach Notifications: Be prepared to notify regulatory authorities and affected individuals in the event of a data breach.
By understanding the relevant regulations and leveraging FileMaker’s security tools, businesses can ensure compliance and avoid legal penalties.
Key Takeaways from the Session #tag8
Rosemary Tietge’s DevCon 2014 session provided critical insights into the current threat landscape and how businesses can protect their data using the FileMaker Platform. Here are the key takeaways:
- SMBs are increasingly targeted by cybercriminals and must invest in cybersecurity to avoid costly breaches.
- FileMaker’s security features, including accounts and privilege sets, encryption at rest, and SSL, provide a robust foundation for securing business data.
- Implementing best practices, such as regular access audits, encryption, and hosting solutions on FileMaker Server, can significantly reduce the risk of a data breach.
- Compliance with regulations like HIPAA, PCI DSS, and GDPR is critical for businesses handling sensitive data, and FileMaker offers the tools necessary to meet these compliance requirements.
By following these recommendations, businesses can safeguard their FileMaker systems against cyber threats and ensure compliance with industry standards.
This expanded blog post provides a thorough analysis of Rosemary Tietge’s session on security in the FileMaker Platform, offering actionable advice for securing FileMaker systems and protecting business data against the evolving threat landscape.
DevCon 2014: Security – The Threat Landscape and the FileMaker Platform – Rosemary Tietge
